svn commit: r43764 - head/en_US.ISO8859-1/books/handbook/security

Tom Rhodes trhodes at
Tue Feb 4 16:45:40 UTC 2014

Author: trhodes
Date: Tue Feb  4 16:45:39 2014
New Revision: 43764

  Add a section on password policy and password policy
  enforcement (with pam, pw, login.conf).


Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Tue Feb  4 16:18:13 2014	(r43763)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Tue Feb  4 16:45:39 2014	(r43764)
@@ -305,6 +305,90 @@
 	the handbook.  Kerberose users may need to make additional
 	changes to implement <application>OpenSSH</application> in
 	their network.</para>
+      <sect3 xml:id="security-pwpolicy">
+        <title>Password Policy and Enforcement</title>
+	<para>Enforcing a strong password policy for local accounts
+	  is a fundamental aspect of local system security and policy.
+	  During password enforcement, things like password length,
+	  password strength, and the likelihood the password could be
+	  guessed or cracked can be implemented through the system
+	  &man.pam.8; modules.</para>
+	<para>The <acronym>PAM</acronym> system, or Pluggable
+	  Authentication Modules, will enforce the password policy by
+	  setting a minimum and maximum password length.  They will
+	  also enforce mixed characters.  In particular the
+	  &man.pam.passwdqc.8; will be discussed.</para>
+	<para>To proceed, open the
+	  <filename>/etc/pam.d/passwd</filename> file and add the
+	  following line to the file.</para>
+	<programlisting>password        requisite         min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users</programlisting>
+	<para>There is already a commented out line for this module and
+	  it may be altered to the version above.  This statement
+	  basically sets several requirements.  First, a minimal
+	  password length is disabled, allowing for a password of any
+	  length.  Using only two character classes are disabled,
+	  which means that all classes, including special, will be
+	  considered valid.  The next entry requires that passwords
+	  be twelve characters in length with characters from three
+	  classes or ten byte (or more) passwords with characters from
+	  four character classes.  This also denies passwords that
+	  are similar to the previously used password.  A user is
+	  provided three opportunities to enter a new password and
+	  finally only enforce this requirement on users.  That is,
+	  exempt super users.  This statement is probably confusing
+	  so reading the manual page is highly recommended, in
+	  particular to understand what character classes are.</para>
+	<para>After this change is made and the file saved, any user
+          changing their password will see a message similar to the
+	  following.  This message might also clear up some confusion
+	  about the configuration.</para>
+	<screen>&prompt.user; <userinput>passwd</userinput></screen>
+	<programlisting>Changing local password for trhodes
+Old Password:
+You can now choose the new password.
+A valid password should be a mix of upper and lower case letters,
+digits and other characters.  You can use a 12 character long
+password with characters from at least 3 of these 4 classes, or
+a 10 character long password containing characters from all the
+classes.  Characters that form a common pattern are discarded by
+the check.
+Alternatively, if noone else can see your terminal now, you can
+pick this as your password: "trait-useful&knob".
+Enter new password:</programlisting>
+	<para>If a weak password is entered, it will be rejected with
+	  a warning and the user will have an opportunity to try
+	  again</para>
+	<para>In most password policies, a password aging requirement
+	  is normally set.  This means that a every password must expire
+	  after so many days after it has been set.  To set a password
+	  age time in &os;, set the <option>passwordtime</option> in
+	  <filename>/etc/login.conf</filename>.  Most users when added
+	  to the system just fall into the <option>default</option>
+	  default group which is where this variable could be added and
+	  the database rebuilt using:</para>
+	<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
+	<para>To set the expiration on individual users, provide a day
+	  count to &; and a username like:</para>
+	<screen>&prompt.root; <userinput>pw usermod -p 30-apr-2014 -n trhodes</userinput></screen>
+	<para>As seen here, an expiration date is set in the form of day,
+	  month, year.  For more information, see &;</para>
+      </sect3>
     <sect2 xml:id="security-rkhunter">

More information about the svn-doc-all mailing list