On Wed, Oct 13, 2010 at 09:09:29AM +0000, Leif Blixt wrote:
> Brad Tilley <brad <at> 16systems.com> writes:
>
> >
> > I was experimenting with a program to meet PCI DSS 1.2 password length
> > and content/complexity requirements and integrating it with login.conf
> > for users who have shell access to OpenBSD systems. It seems to work as
> > expected, but I wanted to run my configuration by misc.
> >
> > I appended the following two lines to the end of both default and staff
> > in login.conf. Look OK?
> >
> > :passwordcheck=/path/to/program:\
> > :passwordtries=0:
> >
> > I understand that it would be easy (and redundant) to use minpasswordlen
> > to meet the length requirement, but it's easy to check that in the
> > program itself.
> >
> > Brad
> >
> >
>
>
> We are currently being reviewed for PCI DSS compliance, and the big problems
> we have right now with the combination of PCI DSS and OpenBSD is the following
> PCI DSS requirements:
> 8.5.12 Password history check - you may not use the last 4 passwords.
> 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts
> automatically.
> 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30
> minutes.
>
> How have you addressed these requirements? I'm starting to think we need a
> RADIUS solution, which seems a bit redundant working with OpenBSD...
Locking out accounts is actually fairly easy to do if you wrap
/usr/libexec/auth/login_<whatever>. Read the AUTHENTICATION section of
login.conf(5).
Joachim
