Re: Force passwordcheck in login.conf
Brad Tilley brad at 16systems.com writes: I was experimenting with a program to meet PCI DSS 1.2 password length and content/complexity requirements and integrating it with login.conf for users who have shell access to OpenBSD systems. It seems to work as expected, but I wanted to run my configuration by misc. I appended the following two lines to the end of both default and staff in login.conf. Look OK? :passwordcheck=/path/to/program:\ :passwordtries=0: I understand that it would be easy (and redundant) to use minpasswordlen to meet the length requirement, but it's easy to check that in the program itself. Brad We are currently being reviewed for PCI DSS compliance, and the big problems we have right now with the combination of PCI DSS and OpenBSD is the following PCI DSS requirements: 8.5.12 Password history check - you may not use the last 4 passwords. 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts automatically. 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30 minutes. How have you addressed these requirements? I'm starting to think we need a RADIUS solution, which seems a bit redundant working with OpenBSD... Regards, Leif
Re: Force passwordcheck in login.conf
Well, I don't think so. You only need to logon to the console when you have big problems, and we just have set a really long and complicated password for the root user and stored it away for emergency use in a safe. You still have the external shell protection by restricting who can access the server room. All other users must use sudo anyway, so you don't need the root password on a daily basis, and that's enough for PCI DSS. /Leif -Original Message- From: Brad Tilley [mailto:b...@16systems.com] Sent: den 14 oktober 2010 14:09 To: Leif Blixt; openbsd-misc Subject: Re: Force passwordcheck in login.conf Leif Blixt wrote: Hi! We have just figured out a different approach, and will discuss our new idea with our QSA tomorrow. The idea is to completely turn of the possibility to log in with passwords, and to use SSH key pairs with long and good passphrases instead. It will lead to more work with administrating accounts and there is a small problem on how to distribute the public key to all servers, but we don't have to set up a RADIUS server just yet! I will let you know what the response from our QSA is. /Leif Can you do that? I think local logon would still be an issue, at least the way I read it. Anyone in front of the machine at a console would be subject to the requirements. Brad
Re: Force passwordcheck in login.conf
Hi! We have just figured out a different approach, and will discuss our new idea with our QSA tomorrow. The idea is to completely turn of the possibility to log in with passwords, and to use SSH key pairs with long and good passphrases instead. It will lead to more work with administrating accounts and there is a small problem on how to distribute the public key to all servers, but we don't have to set up a RADIUS server just yet! I will let you know what the response from our QSA is. /Leif -Original Message- From: Brad Tilley [mailto:b...@16systems.com] Sent: den 14 oktober 2010 13:36 To: Leif Blixt; openbsd-misc Subject: Re: Force passwordcheck in login.conf Leif Blixt wrote: Brad Tilley brad at 16systems.com writes: I was experimenting with a program to meet PCI DSS 1.2 password length and content/complexity requirements and integrating it with login.conf for users who have shell access to OpenBSD systems. It seems to work as expected, but I wanted to run my configuration by misc. I appended the following two lines to the end of both default and staff in login.conf. Look OK? :passwordcheck=/path/to/program:\ :passwordtries=0: I understand that it would be easy (and redundant) to use minpasswordlen to meet the length requirement, but it's easy to check that in the program itself. Brad We are currently being reviewed for PCI DSS compliance, and the big problems we have right now with the combination of PCI DSS and OpenBSD is the following PCI DSS requirements: 8.5.12 Password history check - you may not use the last 4 passwords. 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts automatically. 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30 minutes. I concluded the same for requirement 8. See my rough notes here. I plan to add to that page as I do more testing: http://16systems.com/OpenBSD/pci.html How have you addressed these requirements? I'm starting to think we need a RADIUS solution, which seems a bit redundant working with OpenBSD... Regards, Leif RADIUS may do it if the backend can enforce those things (I don't know enough about this to comment, but OpenLDAP may work). If that cannot do it, read Appendix B of the PCI DSS carefully. They allow compensating controls when the requirements cannot be followed precisely. Brad