One last note... it seems that OpenPAM on the other BSDs and LinuxPAM on
Linux systems address all of PCI requirement 8. However, they all seem
to differ slightly with their PAM implementations and PAM in general
seems overly complex (to me at least).
I mis-configured PAM on a test system (comment
> Thanks. I'll add that as a possible solution for folks who wish to add
> Python to the base install.
>
> Brad
>
> >> http://www.deweyonline.com/files/openbsd/login_-custompasswd
Thanks for sharing.
I didn't see any explicit log file closing but then again sys.exit() should
clean up.
On 10/17/2010 12:56 PM, Dewey Hylton wrote:
>> just a quick note on how we addressed 8.5.13 ... yes, it requires python,
> but we are
>> a python shop so this was not an issue for us. i'm just posting it for the
> purpose of
>> sharing ideas.
>>
>> http://www.deweyonline.com/files/openbsd/login_-c
sorry for the subject goof ...
On Oct 17, 2010, at 11:51 AM, Dewey Hylton wrote:
>>
>> -Original Message-
>> From: Brad Tilley [mailto:b...@16systems.com]
>> Sent: den 14 oktober 2010 13:36
>> To: Leif Blixt; openbsd-misc
>> Subject: Re: Force password
On 2010-10-13, Brad Tilley wrote:
> Mark Romer wrote:
>> use passwdqc it is in packages.
>>
>> in login.conf under default I have:
>> :minpasswordlen=12:\
>> :login-tries=4:\
>> :passwordtries=3:\
>> :passwordcheck=/usr/local/libexec/passwdqc -3 12
>>
>> Mark
>
> I've he
On Thu, Oct 14, 2010 at 10:16:12AM -0400, Brad Tilley wrote:
> Stuart VanZee wrote:
> > For 8.5.12 see login.conf man page, look for passwordcheck.
> > You will have to write (or find) a program that keeps track
> > of previously used passwords. I just stored a hash of them
> > in a file and have
Stuart VanZee wrote:
> For 8.5.12 see login.conf man page, look for passwordcheck.
> You will have to write (or find) a program that keeps track
> of previously used passwords. I just stored a hash of them
> in a file and have it check to see if the new password hash
> matches any of the old 4 pas
For 8.5.12 see login.conf man page, look for passwordcheck.
You will have to write (or find) a program that keeps track
of previously used passwords. I just stored a hash of them
in a file and have it check to see if the new password hash
matches any of the old 4 password hashes.
for 8.5.13 see l
On Wed, Oct 13, 2010 at 09:09:29AM +, Leif Blixt wrote:
> Brad Tilley 16systems.com> writes:
>
> >
> > I was experimenting with a program to meet PCI DSS 1.2 password length
> > and content/complexity requirements and integrating it with login.conf
> > for users who have shell access to Open
14:09
> To: Leif Blixt; openbsd-misc
> Subject: Re: Force passwordcheck in login.conf
>
> Leif Blixt wrote:
>> Hi!
>>
>> We have just figured out a different approach, and will discuss our new idea
>> with our QSA tomorrow. The idea is to completely tur
2010 13:36
To: Leif Blixt; openbsd-misc
Subject: Re: Force passwordcheck in login.conf
Leif Blixt wrote:
> Brad Tilley 16systems.com> writes:
>
>> I was experimenting with a program to meet PCI DSS 1.2 password length
>> and content/complexity requirements and integrating
ject: Re: Force passwordcheck in login.conf
Leif Blixt wrote:
> Hi!
>
> We have just figured out a different approach, and will discuss our new idea
with our QSA tomorrow. The idea is to completely turn of the possibility to
log in with passwords, and to use SSH key pairs with long and good pass
Leif Blixt wrote:
> Hi!
>
> We have just figured out a different approach, and will discuss our new idea
> with our QSA tomorrow. The idea is to completely turn of the possibility to
> log in with passwords, and to use SSH key pairs with long and good
> passphrases instead. It will lead to more
Leif Blixt wrote:
> Brad Tilley 16systems.com> writes:
>
>> I was experimenting with a program to meet PCI DSS 1.2 password length
>> and content/complexity requirements and integrating it with login.conf
>> for users who have shell access to OpenBSD systems. It seems to work as
>> expected, but
Brad Tilley 16systems.com> writes:
>
> I was experimenting with a program to meet PCI DSS 1.2 password length
> and content/complexity requirements and integrating it with login.conf
> for users who have shell access to OpenBSD systems. It seems to work as
> expected, but I wanted to run my conf
Mark Romer wrote:
> use passwdqc it is in packages.
>
> in login.conf under default I have:
> :minpasswordlen=12:\
> :login-tries=4:\
> :passwordtries=3:\
> :passwordcheck=/usr/local/libexec/passwdqc -3 12
>
> Mark
I've heard complaints that it is too stringent (I tend t
use passwdqc it is in packages.
in login.conf under default I have:
:minpasswordlen=12:\
:login-tries=4:\
:passwordtries=3:\
:passwordcheck=/usr/local/libexec/passwdqc -3 12
Mark
On Tue, Oct 12, 2010 at 8:46 PM, Brad Tilley wrote:
> I was experimenting with a program
On 10/13/10 02:46, Brad Tilley wrote:
> I was experimenting with a program to meet PCI DSS 1.2 password length
> and content/complexity requirements and integrating it with login.conf
> for users who have shell access to OpenBSD systems. It seems to work as
> expected, but I wanted to run my config
I was experimenting with a program to meet PCI DSS 1.2 password length
and content/complexity requirements and integrating it with login.conf
for users who have shell access to OpenBSD systems. It seems to work as
expected, but I wanted to run my configuration by misc.
I appended the following two
19 matches
Mail list logo
