How to Enforce Password Complexity Policies on FreeBSD Operating System

Introduction

Security is a critical aspect of system administration, and enforcing strong password policies is an essential measure to protect against unauthorized access. FreeBSD, a robust and secure operating system, provides multiple mechanisms to enforce password complexity policies. This article explores how to implement and configure these policies using PAM (Pluggable Authentication Modules) and other native FreeBSD tools.

Understanding Password Complexity Policies

A password complexity policy ensures that users create passwords that are difficult to guess or crack. A good policy typically includes:

• Minimum and maximum password lengths
• Use of uppercase and lowercase letters
• Inclusion of numbers and special characters
• Prevention of dictionary words
• Enforcing password history to prevent reuse
• Implementing expiration policies

FreeBSD provides built-in tools and modules to enforce such policies, particularly via PAM and pw utilities.

Enabling PAM Password Complexity Rules

PAM is a modular authentication framework used by FreeBSD. To enforce password complexity, you can configure pam_passwdqc, which is a PAM module designed to enforce strong password policies.

1. Install pam_passwdqc

By default, pam_passwdqc is included in FreeBSD, but if needed, install it using:

pkg install pam_passwdqc

2. Configure PAM for Password Policies

Modify the PAM configuration file responsible for password authentication. Open the file /etc/pam.d/passwd:

vi /etc/pam.d/passwd

Locate the line that references pam_unix.so and replace it with:

password requisite pam_passwdqc.so min=8,8,8,8,12 max=40 passphrase=3 similar=deny random=42 enforce=everyone

Explanation of Parameters

• min=8,8,8,8,12: Sets the minimum password length for different complexity levels.
• max=40: Limits the maximum password length.
• passphrase=3: Encourages users to use passphrases instead of short passwords.
• similar=deny: Prevents passwords similar to old ones.
• random=42: Suggests strong random passwords.
• enforce=everyone: Ensures all users adhere to the policy.

3. Save and Apply Changes

After modifying /etc/pam.d/passwd, save the file and test password changes to verify enforcement.

Using pw for Additional Password Policy Enforcement

In addition to PAM, FreeBSD’s pw utility helps enforce password policies at the system level.

1. Setting Password Expiry and History

To enforce password expiration and prevent reuse, modify the user’s password settings:

pw usermod username -p 90d -H 5

Explanation

• -p 90d: Forces password changes every 90 days.
• -H 5: Prevents the last five passwords from being reused.

2. Locking Accounts After Failed Attempts

Use pw lock to disable accounts after too many failed attempts:

pw lock username

To unlock:

pw unlock username

Enforcing Password Policies with login.conf

FreeBSD also allows password policy enforcement through /etc/login.conf.

1. Editing login.conf

Open the configuration file:

vi /etc/login.conf

Modify or add a policy under the default class:

default:\
    :minpasswordlen=10:\
    :passwordtime=90d:\
    :warnpassword=7d:\
    :maxlogins=3:

Explanation

• minpasswordlen=10: Sets minimum password length to 10 characters.
• passwordtime=90d: Forces password changes every 90 days.
• warnpassword=7d: Warns users 7 days before password expiration.
• maxlogins=3: Limits simultaneous logins.

2. Apply Changes

Run:

cap_mkdb /etc/login.conf

This compiles the changes, making them effective.

Monitoring and Auditing Password Security

After enforcing policies, continuous monitoring is necessary. Use FreeBSD’s audit features to track authentication attempts and password changes.

1. Enabling Audit Logs

Ensure auditd is enabled:

echo 'auditd_enable="YES"' >> /etc/rc.conf
service auditd start

2. Configuring Audit Rules

Edit /etc/security/audit_control to capture authentication events:

vi /etc/security/audit_control

Ensure it includes:

flags:lo,ad

Restart the audit daemon:

service auditd restart

Check logs with:

auditreduce -m AUE_PW_CHANGE /var/audit/* | praudit

Conclusion

Enforcing strong password policies on FreeBSD requires a combination of PAM modules, pw settings, and login class configurations. Implementing these measures enhances security, protects user accounts, and ensures compliance with best practices. By configuring these tools properly and monitoring password-related activities, administrators can maintain a secure FreeBSD environment.