Add examples to show how to enforce password policy with pam_passwdqc(8) when user password has expired
Needs ReviewPublic
Actions

Authored by zarychtam_plan-b.pwste.edu.pl on Dec 17 2020, 4:19 PM.

Details

Reviewers

kaktus
des
emaste

Summary

When the user whose password has expired logs in via console or ssh he/she has to change the password during the login process. During this process, not passwd(1) is called, but either login(1) or sshd(8) are involved and thus the password policy from /etc/pam.d/passwd is ignored.

Adding these two lines to example config files should help newbies figure out how to enforce password policy for users changing their passwords due to expiration.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

zarychtam_plan-b.pwste.edu.pl created this revision.Dec 17 2020, 4:19 PM

Herald added subscribers: Contributor Reviews (src), imp. · View Herald TranscriptDec 17 2020, 4:19 PM

zarychtam_plan-b.pwste.edu.pl requested review of this revision.Dec 17 2020, 4:19 PM

zarychtam_plan-b.pwste.edu.pl added reviewers: kaktus, 0mp.

When the password is expired user root changes password on the behalf of the user during the login process, so only "enforce=everyone" will be fully respected here.

Update pam_passwdqc(8) manual page to reflect and highlight the change and let the user chance to get the gist.

After talking it over on IRC, I think this needs little more descriptive information as to what the options in the config files do.

Further, the note in the manual page is ambiguous - what are the circumstances? (Submitter mentioned ssh on IRC, but this needs to be elucidated).

This revision now requires changes to proceed.Feb 26 2021, 7:33 PM

In D27656#648184, @debdrup wrote:

After talking it over on IRC, I think this needs little more descriptive information as to what the options in the config files do.

Further, the note in the manual page is ambiguous - what are the circumstances? (Submitter mentioned ssh on IRC, but this needs to be elucidated).

I really appreciate this feedback, but still believe that too widely elaborating on the man page the fact of adding two lines commented by default would be probably a waste of the user's resources, especially the user's HDD space and pam_passwdqc(8) has just an excellent man page since the early beginning.
I have written this review to make people slightly aware that the FreeBSD password policy has to be enforced for each /etc/pam.d/service-name capable of changing the password. These modules are called by root when the user password has already expired immediately during the login process and the list of services is probably not complete but covers the most common cases. It's not a security hole but a gap, that should probably be somehow better documented and shown in examples at least until pam(3) will not be deprecated.

My point is that if that's what this change does, it's not evident that that's what it does.

It needs to be made clear what the change does, within the documentation provided to the user.

Also, OpenPAM is unlikely to be deprecated, because there is no similarly licensed alternative.

More to the point, adding a few lines is not going to waste peoples diskspace as much as you think, as manual pages are compressed when installed.

This one probably has to be documented either in the handbook or in wiki pages. Extending lib/libpam/pam.d/ files is probably an undesired way of making people aware of such a gap in password policy enforcement.

zirias mentioned this in D34322: pam_unix: Use suid root helper to authenticate.Feb 19 2022, 5:26 PM