Thanks. I'll add that as a possible solution for folks who wish to add
Python to the base install.
Brad
http://www.deweyonline.com/files/openbsd/login_-custompasswd
Thanks for sharing.
I didn't see any explicit log file closing but then again sys.exit() should
clean up.
One last note... it seems that OpenPAM on the other BSDs and LinuxPAM on
Linux systems address all of PCI requirement 8. However, they all seem
to differ slightly with their PAM implementations and PAM in general
seems overly complex (to me at least).
I mis-configured PAM on a test system
sorry for the subject goof ...
On Oct 17, 2010, at 11:51 AM, Dewey Hylton wrote:
-Original Message-
From: Brad Tilley [mailto:b...@16systems.com]
Sent: den 14 oktober 2010 13:36
To: Leif Blixt; openbsd-misc
Subject: Re: Force passwordcheck in login.conf
Leif Blixt wrote:
We
On 10/17/2010 12:56 PM, Dewey Hylton wrote:
just a quick note on how we addressed 8.5.13 ... yes, it requires python,
but we are
a python shop so this was not an issue for us. i'm just posting it for the
purpose of
sharing ideas.
http://www.deweyonline.com/files/openbsd/login_-custompasswd
Brad Tilley brad at 16systems.com writes:
I was experimenting with a program to meet PCI DSS 1.2 password length
and content/complexity requirements and integrating it with login.conf
for users who have shell access to OpenBSD systems. It seems to work as
expected, but I wanted to run my
Leif Blixt wrote:
Brad Tilley brad at 16systems.com writes:
I was experimenting with a program to meet PCI DSS 1.2 password length
and content/complexity requirements and integrating it with login.conf
for users who have shell access to OpenBSD systems. It seems to work as
expected, but I
Leif Blixt wrote:
Hi!
We have just figured out a different approach, and will discuss our new idea
with our QSA tomorrow. The idea is to completely turn of the possibility to
log in with passwords, and to use SSH key pairs with long and good
passphrases instead. It will lead to more work
passwordcheck in login.conf
Leif Blixt wrote:
Hi!
We have just figured out a different approach, and will discuss our new idea
with our QSA tomorrow. The idea is to completely turn of the possibility to
log in with passwords, and to use SSH key pairs with long and good passphrases
instead
13:36
To: Leif Blixt; openbsd-misc
Subject: Re: Force passwordcheck in login.conf
Leif Blixt wrote:
Brad Tilley brad at 16systems.com writes:
I was experimenting with a program to meet PCI DSS 1.2 password length
and content/complexity requirements and integrating it with login.conf
for users
what your
QSA determines. It seems some of this is open to interpretation and
depends on the opinion of the QSA.
Brad
-Original Message-
From: Brad Tilley [mailto:b...@16systems.com]
Sent: den 14 oktober 2010 14:09
To: Leif Blixt; openbsd-misc
Subject: Re: Force passwordcheck
On Wed, Oct 13, 2010 at 09:09:29AM +, Leif Blixt wrote:
Brad Tilley brad at 16systems.com writes:
I was experimenting with a program to meet PCI DSS 1.2 password length
and content/complexity requirements and integrating it with login.conf
for users who have shell access to OpenBSD
For 8.5.12 see login.conf man page, look for passwordcheck.
You will have to write (or find) a program that keeps track
of previously used passwords. I just stored a hash of them
in a file and have it check to see if the new password hash
matches any of the old 4 password hashes.
for 8.5.13 see
Stuart VanZee wrote:
For 8.5.12 see login.conf man page, look for passwordcheck.
You will have to write (or find) a program that keeps track
of previously used passwords. I just stored a hash of them
in a file and have it check to see if the new password hash
matches any of the old 4
On Thu, Oct 14, 2010 at 10:16:12AM -0400, Brad Tilley wrote:
Stuart VanZee wrote:
For 8.5.12 see login.conf man page, look for passwordcheck.
You will have to write (or find) a program that keeps track
of previously used passwords. I just stored a hash of them
in a file and have it check
On 2010-10-13, Brad Tilley b...@16systems.com wrote:
Mark Romer wrote:
use passwdqc it is in packages.
in login.conf under default I have:
:minpasswordlen=12:\
:login-tries=4:\
:passwordtries=3:\
:passwordcheck=/usr/local/libexec/passwdqc -3 12
Mark
I've
On 10/13/10 02:46, Brad Tilley wrote:
I was experimenting with a program to meet PCI DSS 1.2 password length
and content/complexity requirements and integrating it with login.conf
for users who have shell access to OpenBSD systems. It seems to work as
expected, but I wanted to run my
use passwdqc it is in packages.
in login.conf under default I have:
:minpasswordlen=12:\
:login-tries=4:\
:passwordtries=3:\
:passwordcheck=/usr/local/libexec/passwdqc -3 12
Mark
On Tue, Oct 12, 2010 at 8:46 PM, Brad Tilley b...@16systems.com wrote:
I was
Mark Romer wrote:
use passwdqc it is in packages.
in login.conf under default I have:
:minpasswordlen=12:\
:login-tries=4:\
:passwordtries=3:\
:passwordcheck=/usr/local/libexec/passwdqc -3 12
Mark
I've heard complaints that it is too stringent (I tend to agree,
I was experimenting with a program to meet PCI DSS 1.2 password length
and content/complexity requirements and integrating it with login.conf
for users who have shell access to OpenBSD systems. It seems to work as
expected, but I wanted to run my configuration by misc.
I appended the following
19 matches
Mail list logo
