For 8.5.12 see login.conf man page, look for passwordcheck. You will have to write (or find) a program that keeps track of previously used passwords. I just stored a hash of them in a file and have it check to see if the new password hash matches any of the old 4 password hashes.
for 8.5.13 see login.conf man page, look for auth. You will (again) have to write a program that does this. In this case, you will be writing a new login authentication method. I haven't figured out how to integrate this with ssh, but in my case that doesn't apply as I disabled password login into ssh and everyone uses keys. Sadly, when I did all of this it was for work so the place I work owns the code and I have not been given permission to give that code away. I wrote mine in python because I know and understand python, but it could probably be done using any language. s > > We are currently being reviewed for PCI DSS compliance, and > the big problems > we have right now with the combination of PCI DSS and OpenBSD > is the following > PCI DSS requirements: > 8.5.12 Password history check - you may not use the last 4 passwords. > 8.5.13 Lockout after 6 failed attempts - OpenBSD does not > lock accounts > automatically. > 8.5.14 If 8.5.13 takes affect, the account must be locked for > at least 30 > minutes. > > How have you addressed these requirements? I'm starting to > think we need a > RADIUS solution, which seems a bit redundant working with OpenBSD... > > Regards, Leif
