From nobody Thu Jan 18 14:13:00 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TG4TT1MsWz58Nlm for ; Thu, 18 Jan 2024 14:13:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TG4TS5B7Cz4ZpB for ; Thu, 18 Jan 2024 14:13:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1705587180; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MGFC3z43IqRTLzAjVqWnLP8rbd/scqugrCIipD3SKDo=; b=MHzPBNTTFD3V5VsWMPyuLurCYV9oLGRE/ylMhqsdVjsZZMjb9rEgJxYQ+yK/Nm+xUUGLn/ 1sLya2H1KFNMKGkVhz0bT+67+LWFWQBKlFH3PLx/DpCmv5cWfefKjF1d2ziTgzm1G/SZxf T6aygqGw6SiE6DwqCb+fQ3x15LeoDvpJuY3wi+23RnhciT9qfqsyBRhyTbcvlQZVWyvZJ7 6G36md1auCsxtxU+auPtOhOSq48MxJ4g7z6MY7HW6TfvLP2jxgPkW3CQXaFqKw8j6Se4za JH52bV4AS3Bp/LWfjmmAntW50roQZH70qyIIXS2aIjXdXw9Jlvz6Rf1B1Nm6eQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1705587180; a=rsa-sha256; cv=none; b=I6fEe+mjgvPCpIjhtJf+HZg8h/t1yFL3MxVS04bkubIUIg6OPtQ8iihlShNZVoOhRp+jqE Cix4mse1jaT8DxTYYXICQvqVwU0QuBGRU+d2laHbRDqEFILtRHfwAEh5zooT0IWiiZPA9g 5g8evG47lNfEiuGVAHemSmzunsOyR2lPOKqVp5rQnB1KiljnJhaoDY6HpBsqt0mKfQJCZ9 5lUdu89LkBaBqbmCHV4EgJcBbsxx2GaFqLfSx60teqjnaxaOeSYD2WXgkRMlcV8NrSkyUF CD6AQd9la5vY4MCYiRIamsEVNfHZP1jhNmqhy+C0CkU0NrRJYCx7ywI8yGmKEQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TG4TS4Fx1z192g for ; Thu, 18 Jan 2024 14:13:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 40IED0v4036213 for ; Thu, 18 Jan 2024 14:13:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 40IED0v6036211 for bugs@FreeBSD.org; Thu, 18 Jan 2024 14:13:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 276422] pam_passwdqc(8) - add more examples Date: Thu, 18 Jan 2024 14:13:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 15.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: zarychtam@plan-b.pwste.edu.pl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276422 Bug ID: 276422 Summary: pam_passwdqc(8) - add more examples Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: conf Assignee: bugs@FreeBSD.org Reporter: zarychtam@plan-b.pwste.edu.pl A few years ago I created D27656[1]. It did not gain much interest, but it's still relevant. Yesterday I looked at the Security chapter of the FreeBSD Handbook and found no consistent example of enforcing password policies[2]. Where is the problem? When the user's password expires, the password change will be enforced immediately upon logging in and the policy enforcement set= in /etc/pam.d/passwd will not be applied. In case of an expired password, pass= word policy enforcement will only work if set in the appropriate pam.d config fi= le corresponding to the authentication method (usually /etc/pam.d/sshd or /etc/pam.d/login). Moreover, in the case of an expired password, the passwo= rd change will be done under uid 0, so only enforce=3Deveryone makes sense.=20 Maybe we can fix it by extending examples, but probably the right way will = be to change PAM modules internally to better handle changing expired password= s. To reproduce:=20 - Configure system following[2]=20 - Set: "pw user mod exampleuser -p 31-Dec-2023" - Login via console or ssh to the system as exampleuser and set password to empty (just press enter twice). Over 3 years ago I found it as a foot-shooting issue and spent a few hours figuring out how was it possible that some users have set empty passwords, = but I think that more people enforcing password policies might be affected.=20 1. https://reviews.freebsd.org/D27656 2. https://docs.freebsd.org/en/books/handbook/security/#security-pwpolicy --=20 You are receiving this mail because: You are the assignee for the bug.=