Brad Tilley <brad <at> 16systems.com> writes: > > I was experimenting with a program to meet PCI DSS 1.2 password length > and content/complexity requirements and integrating it with login.conf > for users who have shell access to OpenBSD systems. It seems to work as > expected, but I wanted to run my configuration by misc. > > I appended the following two lines to the end of both default and staff > in login.conf. Look OK? > > :passwordcheck=/path/to/program:\ > :passwordtries=0: > > I understand that it would be easy (and redundant) to use minpasswordlen > to meet the length requirement, but it's easy to check that in the > program itself. > > Brad > >
We are currently being reviewed for PCI DSS compliance, and the big problems we have right now with the combination of PCI DSS and OpenBSD is the following PCI DSS requirements: 8.5.12 Password history check - you may not use the last 4 passwords. 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts automatically. 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30 minutes. How have you addressed these requirements? I'm starting to think we need a RADIUS solution, which seems a bit redundant working with OpenBSD... Regards, Leif
