> -----Original Message----- > From: Brad Tilley [mailto:b...@16systems.com] > Sent: den 14 oktober 2010 13:36 > To: Leif Blixt; openbsd-misc > Subject: Re: Force passwordcheck in login.conf > > Leif Blixt wrote: >> >> We are currently being reviewed for PCI DSS compliance, and the big > problems >> we have right now with the combination of PCI DSS and OpenBSD is the > following >> PCI DSS requirements: >> 8.5.12 Password history check - you may not use the last 4 passwords. >> 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts >> automatically. >> 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30 >> minutes. > > I concluded the same for requirement 8. See my rough notes here. I plan > to add to that page as I do more testing: > > http://16systems.com/OpenBSD/pci.html > >> How have you addressed these requirements? I'm starting to think we need a >> RADIUS solution, which seems a bit redundant working with OpenBSD... >> >> Regards, Leif > > RADIUS may do it if the backend can enforce those things (I don't know > enough about this to comment, but OpenLDAP may work). If that cannot do > it, read Appendix B of the PCI DSS carefully. They allow compensating > controls when the requirements cannot be followed precisely. > > Brad
just a quick note on how we addressed 8.5.13 ... yes, it requires python, but we are a python shop so this was not an issue for us. i'm just posting it for the purpose of sharing ideas. http://www.deweyonline.com/files/openbsd/login_-custompasswd
