svn commit: r44725 - head/en_US.ISO8859-1/books/handbook/security

Wed Apr 30 20:50:57 UTC 2014

Author: dru
Date: Wed Apr 30 20:50:57 2014
New Revision: 44725
URL: http://svnweb.freebsd.org/changeset/doc/44725

Log:
  Editorial review of password policy section.
  
  Sponsored by:	iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================

--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Wed Apr 30 19:31:56 2014	(r44724)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Wed Apr 30 20:50:57 2014	(r44725)
@@ -315,48 +315,55 @@ dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3
 	<title>Password Policy Enforcement</title>
 
 	<para>Enforcing a strong password policy for local accounts
-	  is a fundamental aspect of local system security and policy.
-	  During password enforcement, things like password length,
-	  password strength, and the likelihood the password could be
-	  guessed or cracked can be implemented through the system
-	  &man.pam.8; modules.</para>
-
-	<para>The <acronym>PAM</acronym> system, or Pluggable
-	  Authentication Modules, will enforce the password policy by
-	  setting a minimum and maximum password length.  They will
-	  also enforce mixed characters.  In particular the
-	  &man.pam.passwdqc.8; will be discussed.</para>
-
-	<para>To proceed, add the following line to
-	  <filename>/etc/pam.d/passwd</filename>:</para>
-
-	<programlisting>password        requisite       pam_passwdqc.so         min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users</programlisting>
-
-	<para>There is already a commented out line for this module
-	  and it may be altered to the version above.  This statement
-	  basically sets several requirements.  First, a minimal
-	  password length is disabled, allowing for a password of any
-	  length.  Using only two character classes are disabled,
-	  which means that all classes, including special, will be
-	  considered valid.  The next entry requires that passwords
-	  be twelve characters in length with characters from three
-	  classes or ten byte (or more) passwords with characters from
-	  four character classes.  This also denies passwords that
-	  are similar to the previously used password.  A user is
-	  provided three opportunities to enter a new password and
-	  finally only enforce this requirement on users.  That is,
-	  exempt super users.  This statement is probably confusing
-	  so reading the manual page is highly recommended, in
-	  particular to understand what character classes are.</para>
+	  is a fundamental aspect of system security.
+	  In &os;, password length,
+	  password strength, and password complexity
+	  can be implemented using built-in Pluggable Authentication
+	  Modules (<acronym>PAM</acronym>).</para>
+
+	<para>This section demonstrates how to configure the minimum
+	  and maximum password length and the
+	  enforcement of mixed characters using the
+	  <filename>pam_passwdqc.so</filename> module.  This module is enforced when
+	  a user changes their password.</para>
+
+	<para>To configure this module, become the superuser and uncomment the line containing
+	  <literal>pam_passwdqc.so</literal> in
+	  <filename>/etc/pam.d/passwd</filename>.  Then, edit that
+	  line to match the password policy:</para>
+
+	<programlisting>password        requisite       pam_passwdqc.so         <replaceable>min=disabled,disabled,disabled,12,10 similar=deny retry=3</replaceable> enforce=users</programlisting>
+
+	<para>This example
+	  sets several requirements for new passwords.  The <literal>min</literal>
+	  setting controls the minimum
+	  password length.  It has five values because this module
+	  defines five different types of passwords based on their
+	  complexity.  Complexity is defined by the type of characters
+	  that must exist in a password, such as letters, numbers,
+	  symbols, and case.  The types of passwords are described in
+	  &man.pam.passwdqc.8;.  In this example, the first three
+	  types of passwords are disabled, meaning that passwords that
+	  meet those complexity requirements will not be accepted,
+	  regardless of their length.  
+	  The <literal>12</literal> sets a minimum password policy of
+	  at least twelve characters, if the password also contains
+	  characters with three types of complexity.  The
+	  <literal>10</literal> sets the password policy to also allow
+	  passwords of at least ten characters, if the password
+	  contains characters with four types of complexity.</para>
+
+	<para>The <literal>similar</literal> setting denies passwords that
+	  are similar to the user's previous password.  The
+	  <literal>retry</literal> setting provides a user with
+	  three opportunities to enter a new password.</para>
 
-	<para>After this change is made and the file saved, any user
+	<para>Once this file is saved, a user
 	  changing their password will see a message similar to the
-	  following.  This message might also clear up some confusion
-	  about the configuration.</para>
+	  following:</para>
 
-	<screen>&prompt.user; <userinput>passwd</userinput></screen>
-
-	<programlisting>Changing local password for trhodes
+	<screen>&prompt.user; <userinput>passwd</userinput>
+Changing local password for trhodes
 Old Password:
 
 You can now choose the new password.
@@ -368,32 +375,34 @@ classes.  Characters that form a common 
 the check.
 Alternatively, if noone else can see your terminal now, you can
 pick this as your password: "trait-useful&knob".
-Enter new password:</programlisting>
+Enter new password:</screen>
 
-	<para>If a weak password is entered, it will be rejected with
+	<para>If a password that does not match the policy is entered, it will be rejected with
 	  a warning and the user will have an opportunity to try
-	  again</para>
-
-	<para>In most password policies, a password aging requirement
-	  is normally set.  This means that a every password must
-	  expire after so many days after it has been set.  To set a
-	  password age time in &os;, set the
-	  <option>passwordtime</option> in
-	  <filename>/etc/login.conf</filename>.  Most users when added
-	  to the system just fall into the <option>default</option>
-	  default group which is where this variable could be added
-	  and the database rebuilt using:</para>
-
-	<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
+	  again, up to the configured number of retries.</para>
 
-	<para>To set the expiration on individual users, provide a day
-	  count to &man.pw.8; and a username like:</para>
+	<para>Most password policies require passwords to
+	  expire after so many days.  To set a
+	  password age time in &os;, set
+	  <option>passwordtime</option> for the user's login class in
+	  <filename>/etc/login.conf</filename>.  The
+	  <literal>default</literal> login class contains an example:</para>
+
+	<programlisting>#       :passwordtime=90d:\</programlisting>
+  
+	<para>So, to set an expiry of 90 days for this login class,
+	  remove the comment symbol (<literal>#</literal>), save the
+	  edit, and run <command>cap_mkdb /etc/login.conf</command>.</para>
+
+	<para>To set the expiration on individual users, pass an
+	  expiration date or the number of days to expiry
+	  and a username to <command>pw</command>:</para>
 
-	<screen>&prompt.root; <userinput>pw usermod -p 30-apr-2014 -n trhodes</userinput></screen>
+	<screen>&prompt.root; <userinput>pw usermod -p <replaceable>30-apr-2015</replaceable> -n <replaceable>trhodes</replaceable></userinput></screen>
 
 	<para>As seen here, an expiration date is set in the form of
-	  day, month, year.  For more information, see
-	  &man.pw.8;</para>
+	  day, month, and year.  For more information, see
+	  &man.pw.8;.</para>
     </sect2>
 
     <sect2 xml:id="security-rkhunter">
