sorry for the subject goof ... On Oct 17, 2010, at 11:51 AM, Dewey Hylton wrote:
>> >> -----Original Message----- >> From: Brad Tilley [mailto:b...@16systems.com] >> Sent: den 14 oktober 2010 13:36 >> To: Leif Blixt; openbsd-misc >> Subject: Re: Force passwordcheck in login.conf >> >> Leif Blixt wrote: >>> >>> We are currently being reviewed for PCI DSS compliance, and the big >> problems >>> we have right now with the combination of PCI DSS and OpenBSD is the >> following >>> PCI DSS requirements: >>> 8.5.12 Password history check - you may not use the last 4 passwords. >>> 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts >>> automatically. >>> 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30 >>> minutes. >> >> I concluded the same for requirement 8. See my rough notes here. I plan >> to add to that page as I do more testing: >> >> http://16systems.com/OpenBSD/pci.html >> >>> How have you addressed these requirements? I'm starting to think we need a >>> RADIUS solution, which seems a bit redundant working with OpenBSD... >>> >>> Regards, Leif >> >> RADIUS may do it if the backend can enforce those things (I don't know >> enough about this to comment, but OpenLDAP may work). If that cannot do >> it, read Appendix B of the PCI DSS carefully. They allow compensating >> controls when the requirements cannot be followed precisely. >> >> Brad > > just a quick note on how we addressed 8.5.13 ... yes, it requires python, but we are > a python shop so this was not an issue for us. i'm just posting it for the purpose of > sharing ideas. > > http://www.deweyonline.com/files/openbsd/login_-custompasswd
