Page MenuHomeFreeBSD

Add examples to show how to enforce password policy with pam_passwdqc(8) when user password has expired
AbandonedPublic

Authored by zarychtam_plan-b.pwste.edu.pl on Dec 17 2020, 4:19 PM.

Details

Reviewers
kaktus
0mp
debdrup
Summary

When the user whose password has expired logs in via console or ssh he/she has to change the password during the login process. During this process, not passwd(1) is called, but either login(1) or sshd(8) are involved and thus the password policy from /etc/pam.d/passwd is ignored.

Adding these two lines to example config files should help newbies figure out how to enforce password policy for users changing their passwords due to expiration.

Diff Detail

Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

When the password is expired user root changes password on the behalf of the user during the login process, so only "enforce=everyone" will be fully respected here.

Update pam_passwdqc(8) manual page to reflect and highlight the change and let the user chance to get the gist.

debdrup requested changes to this revision.Feb 26 2021, 7:33 PM
debdrup added a subscriber: debdrup.

After talking it over on IRC, I think this needs little more descriptive information as to what the options in the config files do.

Further, the note in the manual page is ambiguous - what are the circumstances? (Submitter mentioned ssh on IRC, but this needs to be elucidated).

This revision now requires changes to proceed.Feb 26 2021, 7:33 PM

After talking it over on IRC, I think this needs little more descriptive information as to what the options in the config files do.

Further, the note in the manual page is ambiguous - what are the circumstances? (Submitter mentioned ssh on IRC, but this needs to be elucidated).

I really appreciate this feedback, but still believe that too widely elaborating on the man page the fact of adding two lines commented by default would be probably a waste of the user's resources, especially the user's HDD space and pam_passwdqc(8) has just an excellent man page since the early beginning.
I have written this review to make people slightly aware that the FreeBSD password policy has to be enforced for each /etc/pam.d/service-name capable of changing the password. These modules are called by root when the user password has already expired immediately during the login process and the list of services is probably not complete but covers the most common cases. It's not a security hole but a gap, that should probably be somehow better documented and shown in examples at least until pam(3) will not be deprecated.

My point is that if that's what this change does, it's not evident that that's what it does.

It needs to be made clear what the change does, within the documentation provided to the user.

Also, OpenPAM is unlikely to be deprecated, because there is no similarly licensed alternative.

More to the point, adding a few lines is not going to waste peoples diskspace as much as you think, as manual pages are compressed when installed.

This one probably has to be documented either in the handbook or in wiki pages. Extending lib/libpam/pam.d/ files is probably an undesired way of making people aware of such a gap in password policy enforcement.