[Bug 276422] pam_passwdqc(8) - add more examples

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276422

            Bug ID: 276422
           Summary: pam_passwdqc(8) - add more examples
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: conf
          Assignee: bugs@FreeBSD.org
          Reporter: zarychtam@plan-b.pwste.edu.pl

A few years ago I created D27656[1]. It did not gain much interest, but it's
still relevant. Yesterday I looked at the Security chapter of the FreeBSD
Handbook and found no consistent example of enforcing password policies[2].

Where is the problem? When the user's password expires, the password change
will be enforced immediately upon logging in and the policy enforcement set in
/etc/pam.d/passwd will not be applied. In case of an expired password, password
policy enforcement will only work if set in the appropriate pam.d config file
corresponding to the authentication method (usually /etc/pam.d/sshd or
/etc/pam.d/login). Moreover, in the case of an expired password, the password
change will be done under uid 0, so only enforce=everyone makes sense. 
Maybe we can fix it by extending examples, but probably the right way will be
to change PAM modules internally to better handle changing expired passwords.

To reproduce: 
- Configure system following[2] 
- Set: "pw user mod exampleuser -p 31-Dec-2023"
- Login via console or ssh to the system as exampleuser and set password to
empty (just press enter twice).

Over 3 years ago I found it as a foot-shooting issue and spent a few hours
figuring out how was it possible that some users have set empty passwords, but
I think that more people enforcing password policies might be affected. 

1. https://reviews.freebsd.org/D27656
2. https://docs.freebsd.org/en/books/handbook/security/#security-pwpolicy

-- 
You are receiving this mail because:
You are the assignee for the bug.