On Wed, Oct 13, 2010 at 09:09:29AM +0000, Leif Blixt wrote: > Brad Tilley <brad <at> 16systems.com> writes: > > > > > I was experimenting with a program to meet PCI DSS 1.2 password length > > and content/complexity requirements and integrating it with login.conf > > for users who have shell access to OpenBSD systems. It seems to work as > > expected, but I wanted to run my configuration by misc. > > > > I appended the following two lines to the end of both default and staff > > in login.conf. Look OK? > > > > :passwordcheck=/path/to/program:\ > > :passwordtries=0: > > > > I understand that it would be easy (and redundant) to use minpasswordlen > > to meet the length requirement, but it's easy to check that in the > > program itself. > > > > Brad > > > > > > > We are currently being reviewed for PCI DSS compliance, and the big problems > we have right now with the combination of PCI DSS and OpenBSD is the following > PCI DSS requirements: > 8.5.12 Password history check - you may not use the last 4 passwords. > 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts > automatically. > 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30 > minutes. > > How have you addressed these requirements? I'm starting to think we need a > RADIUS solution, which seems a bit redundant working with OpenBSD...
Locking out accounts is actually fairly easy to do if you wrap /usr/libexec/auth/login_<whatever>. Read the AUTHENTICATION section of login.conf(5). Joachim