On Wed, Oct 21, 2009 at 8:16 AM, Stuart VanZee <[email protected]> wrote: > The company I work for is having their yearly Payment Card Industry > (PCI) assessment and while I believe that OpenBSD is the most secure > OS going, I am having some problems proving it. Here are some of > the issues I need to figure out.
Most of these requirements can be met by eliminating local user passwords entirely. That is, disable "passwd" login type in login.conf and use an external authentication mechanism (e.g login_radius). Then all of these enforcement behaviors are a problem for the RADIUS server, not each individual machine (aside from for root logins on the actual console). If no central RADIUS is available, or if a local fallback is needed, a second option might be to convert to S/Key locally on each machine. As an OTP, this may be exempt from the lockout/retry/reuse requirements of PCI? > This one requires that a user must re-enter the password if their > terminal is idle for more than 15 minutes. Any ideas how to do this > with OpenBSD? I use 'idled' to log out idle SSH/console sessions. > I am sure that there are others out there that use OpenBSD in an environment > that requires PCI compliance. How do you meet these requirements?
