svn commit: r43764 - head/en_US.ISO8859-1/books/handbook/security
Tom Rhodes
trhodes at FreeBSD.org
Tue Feb 4 16:45:40 UTC 2014
Author: trhodes
Date: Tue Feb 4 16:45:39 2014
New Revision: 43764
URL: http://svnweb.freebsd.org/changeset/doc/43764
Log:
Add a section on password policy and password policy
enforcement (with pam, pw, login.conf).
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Feb 4 16:18:13 2014 (r43763)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Feb 4 16:45:39 2014 (r43764)
@@ -305,6 +305,90 @@
the handbook. Kerberose users may need to make additional
changes to implement <application>OpenSSH</application> in
their network.</para>
+
+ <sect3 xml:id="security-pwpolicy">
+ <title>Password Policy and Enforcement</title>
+
+ <para>Enforcing a strong password policy for local accounts
+ is a fundamental aspect of local system security and policy.
+ During password enforcement, things like password length,
+ password strength, and the likelihood the password could be
+ guessed or cracked can be implemented through the system
+ &man.pam.8; modules.</para>
+
+ <para>The <acronym>PAM</acronym> system, or Pluggable
+ Authentication Modules, will enforce the password policy by
+ setting a minimum and maximum password length. They will
+ also enforce mixed characters. In particular the
+ &man.pam.passwdqc.8; will be discussed.</para>
+
+ <para>To proceed, open the
+ <filename>/etc/pam.d/passwd</filename> file and add the
+ following line to the file.</para>
+
+ <programlisting>password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users</programlisting>
+
+ <para>There is already a commented out line for this module and
+ it may be altered to the version above. This statement
+ basically sets several requirements. First, a minimal
+ password length is disabled, allowing for a password of any
+ length. Using only two character classes are disabled,
+ which means that all classes, including special, will be
+ considered valid. The next entry requires that passwords
+ be twelve characters in length with characters from three
+ classes or ten byte (or more) passwords with characters from
+ four character classes. This also denies passwords that
+ are similar to the previously used password. A user is
+ provided three opportunities to enter a new password and
+ finally only enforce this requirement on users. That is,
+ exempt super users. This statement is probably confusing
+ so reading the manual page is highly recommended, in
+ particular to understand what character classes are.</para>
+
+ <para>After this change is made and the file saved, any user
+ changing their password will see a message similar to the
+ following. This message might also clear up some confusion
+ about the configuration.</para>
+
+ <screen>&prompt.user; <userinput>passwd</userinput></screen>
+
+ <programlisting>Changing local password for trhodes
+Old Password:
+
+You can now choose the new password.
+A valid password should be a mix of upper and lower case letters,
+digits and other characters. You can use a 12 character long
+password with characters from at least 3 of these 4 classes, or
+a 10 character long password containing characters from all the
+classes. Characters that form a common pattern are discarded by
+the check.
+Alternatively, if noone else can see your terminal now, you can
+pick this as your password: "trait-useful&knob".
+Enter new password:</programlisting>
+
+ <para>If a weak password is entered, it will be rejected with
+ a warning and the user will have an opportunity to try
+ again</para>
+
+ <para>In most password policies, a password aging requirement
+ is normally set. This means that a every password must expire
+ after so many days after it has been set. To set a password
+ age time in &os;, set the <option>passwordtime</option> in
+ <filename>/etc/login.conf</filename>. Most users when added
+ to the system just fall into the <option>default</option>
+ default group which is where this variable could be added and
+ the database rebuilt using:</para>
+
+ <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
+
+ <para>To set the expiration on individual users, provide a day
+ count to &man.pw.8; and a username like:</para>
+
+ <screen>&prompt.root; <userinput>pw usermod -p 30-apr-2014 -n trhodes</userinput></screen>
+
+ <para>As seen here, an expiration date is set in the form of day,
+ month, year. For more information, see &man.pw.8;</para>
+ </sect3>
</sect2>
<sect2 xml:id="security-rkhunter">
More information about the svn-doc-all
mailing list