For 8.5.12 see login.conf man page, look for passwordcheck.
You will have to write (or find) a program that keeps track
of previously used passwords. I just stored a hash of them
in a file and have it check to see if the new password hash
matches any of the old 4 password hashes.
for 8.5.13 see login.conf man page, look for auth. You will
(again) have to write a program that does this. In this
case, you will be writing a new login authentication method.
I haven't figured out how to integrate this with ssh, but in
my case that doesn't apply as I disabled password login into
ssh and everyone uses keys.
Sadly, when I did all of this it was for work so the place I
work owns the code and I have not been given permission to
give that code away. I wrote mine in python because I know
and understand python, but it could probably be done using
any language.
s
We are currently being reviewed for PCI DSS compliance, and
the big problems
we have right now with the combination of PCI DSS and OpenBSD
is the following
PCI DSS requirements:
8.5.12 Password history check - you may not use the last 4
passwords.
8.5.13 Lockout after 6 failed attempts - OpenBSD does not
lock accounts
automatically.
8.5.14 If 8.5.13 takes affect, the account must be locked for
at least 30
minutes.
How have you addressed these requirements? I'm starting to
think we need a
RADIUS solution, which seems a bit redundant working with OpenBSD...
Regards, Leif