Password Policies
There is a need to enforce password policies for end users. Policies include:
- Enforcing a minimum password length
- Enforcing capitals, numbers or non-alphanumeric characters in a password
- Setting account expiration dates
- etc.
Password policies are not only required as a matter of good security practice, but also for regulatory compliance.
Challenge
Bring on the complexity! There are three distinct password policy engines on a ClearOS system:
- Samba
- LDAP
- Linux shadow / PAM system
In an ideal world, these policies would look like a single policy engine to the end user, administrator and software developer (via the software API). For example, if too many login failures were made from a Windows desktop, this could be configured to trigger a Samba account lockout. Some administrators may also want to extend this account lockout to other services (e.g. LDAP services, and Linux shadow services).
The adjacent screenshot shows the proposed location for OpenLDAP password policy objects in LDAP. A single default object (as shown) can be configured for all users. Alternatively, group or individual user policy objects can be added to LDAP.
Details
So now that we have made the decision to unify the password policies, how are we going to do it? The first thing to look at are the capabilities and limitations of the three systems. The following table is a summary and it includes the LDAP attributes used by the password policy engines.
OpenLDAP | Samba | Shadow | |
---|---|---|---|
Last password change | pwdChangedTime | sambaPwdLastSet | shadowLastChange |
Minimum password age (no password changes allowed until…) | pwdMinAge | sambaMinPwdAge | shadowMin |
Maximum password age (password can only be used for…) | pwdMaxAge | sambaMaxPwdAge | shadowMax |
Password quality check | pwdCheckModule | check password script | PAM cracklib |
Minimum password length | pwdMinLength | sambaMinPwdLength | PAM cracklib minlen |
Password change required | pwdMustChange | sambaLogonToChgPwd | |
Password history | pwdHistory | sambaPasswordHistory | |
Password history count | pwdInHistory | sambaPwdHistoryLength | |
Bad password lockout flag | pwdLockout | sambaAcctFlags ? | |
Bad password lockout time | pwdLockoutDuration | sambaLockoutDuration | |
Bad password lockout attempts threshold | pwdMaxFailure | sambaLockoutThreshold | |
Bad password lockout attempts cache time | pwdFailureCountInterval | sambaLockoutObservationWindow | |
Bad password lockout time | pwdAccountLockedTime | ? | |
Bad password timestamps/count | pwdFailureTime | sambaBadPasswordCount | |
Allow user password changes | pwdAllowUserChange | ? | |
Require both old and new password to change | pwdSafeModify | ? | |
Password expire date | sambaPwdMustChange | ||
Account expire date | shadowExpire |
There are a few more attributes that should be mentioned and are noted here for completeness. These are features will not be included in the global ClearOS Password Policy Engine but may be included in an application's individual settings (for example, setting the logon hours for a Windows user/system).
OpenLDAP
pwdGraceUseTime | List of timestamps of logins made after the password has expired. These “grace logins” will not be implemented (pwdGraceAuthnLimit disabled). |
pwdGraceAuthnLimit | The number of times an expired password may be used. These “grace logins” will be disabled. |
pwdReset | Forces a user to reset their password if an administrator has changed user password. |
pwdCheckQuality | Checks password syntax. |
Shadow
shadowInactive | Days after password expires that account is disabled. In ClearOS, an account will be disabled as soon as a password expires. |
shadowWarning | Account expiration warning time. |
Samba
sambaPwdCanChange | Timestamp of when the user is allowed to update the password. |
sambaLogonTime | Timestamp of last logon. |
sambaLogoffTime | Timestamp of last logoff. |
sambaKickoffTime | Timestamp of when the user will be logged off automatically. |
sambaForceLogoff | Disconnect Users outside logon hours. |
sambaLogonHours | Logon hours. |
sambaRefuseMachinePwdChange | Refuse machine password change. |
Password Quality
What you may have noticed in the LDAP attributes is that password quality checks are not explicitly defined. For example:
- Enforcing non-alphanumeric
- Enforcing mixed case
- Dictionary matches
- etc.
This needs to be defined and then implemented with:
- A script/binary for Samba
- A loadable module in OpenLDAP
- Creating a pam module or tweaking the pam_cracklib options