Hi! We have just figured out a different approach, and will discuss our new idea with our QSA tomorrow. The idea is to completely turn of the possibility to log in with passwords, and to use SSH key pairs with long and good passphrases instead. It will lead to more work with administrating accounts and there is a small problem on how to distribute the public key to all servers, but we don't have to set up a RADIUS server just yet!
I will let you know what the response from our QSA is. /Leif -----Original Message----- From: Brad Tilley [mailto:[email protected]] Sent: den 14 oktober 2010 13:36 To: Leif Blixt; openbsd-misc Subject: Re: Force passwordcheck in login.conf Leif Blixt wrote: > Brad Tilley <brad <at> 16systems.com> writes: > >> I was experimenting with a program to meet PCI DSS 1.2 password length >> and content/complexity requirements and integrating it with login.conf >> for users who have shell access to OpenBSD systems. It seems to work as >> expected, but I wanted to run my configuration by misc. >> >> I appended the following two lines to the end of both default and staff >> in login.conf. Look OK? >> >> :passwordcheck=/path/to/program:\ >> :passwordtries=0: >> >> I understand that it would be easy (and redundant) to use minpasswordlen >> to meet the length requirement, but it's easy to check that in the >> program itself. >> >> Brad >> >> > > > We are currently being reviewed for PCI DSS compliance, and the big problems > we have right now with the combination of PCI DSS and OpenBSD is the following > PCI DSS requirements: > 8.5.12 Password history check - you may not use the last 4 passwords. > 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts > automatically. > 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30 > minutes. I concluded the same for requirement 8. See my rough notes here. I plan to add to that page as I do more testing: http://16systems.com/OpenBSD/pci.html > How have you addressed these requirements? I'm starting to think we need a > RADIUS solution, which seems a bit redundant working with OpenBSD... > > Regards, Leif RADIUS may do it if the backend can enforce those things (I don't know enough about this to comment, but OpenLDAP may work). If that cannot do it, read Appendix B of the PCI DSS carefully. They allow compensating controls when the requirements cannot be followed precisely. Brad
