control-pam: Add password hashing and password policy controls

This commit is contained in:
Solar Designer 2023-12-27 21:22:55 +01:00
parent f4e48668bc
commit a270dfad83
3 changed files with 32 additions and 3 deletions

View file

@ -2,6 +2,10 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## December 27, 2023
[control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs.
## December 18, 2023
This SIG/Security News wiki page has been created, retroactively identifying and listing selected news items so far.

View file

@ -2,7 +2,7 @@
## EL9
- Version `0.8.0-4.el9_3.security`
- Version `0.8.0-5.el9_3.security`
### Package summary
@ -17,7 +17,7 @@ We manage permissions on SUID/SGID/setcap programs because those programs pose r
While the original `control` package in Owl and ALT Linux merely provides the common interface mentioned above for other packages to register their facilities with (and many packages in those distros do), it's been adapted in Rocky Linux to provide its own sub-packages with facility specifications and RPM trigger scripts for other packages coming from EL. This way, we can `control` those facilities and have custom settings persist (be automatically saved and restored) over package upgrades without us having to maintain forks of those other packages.
The available facilities, their current settings, and lists of possible settings can be queried by running the `control` command without parameters. With all currently available sub-packages installed, its output may be:
The available facilities, their current settings, and lists of possible settings can be queried by running the `control` command without parameters. With all currently available sub-packages installed and upstream default settings, its output is:
```
chage public (public restricted)
@ -26,9 +26,25 @@ mount public (public wheelonly unprivileged restricted)
newgidmap public (public wheelonly restricted)
newgrp public (public wheelonly restricted)
newuidmap public (public wheelonly restricted)
password-hash sha512crypt (sha512crypt yescrypt)
password-policy pwquality (pwquality passwdqc)
write public (public restricted)
```
With maximum security hardening, it changes to:
```
chage restricted (public restricted)
gpasswd restricted (public wheelonly restricted)
mount restricted (public wheelonly unprivileged restricted)
newgidmap restricted (public wheelonly restricted)
newgrp restricted (public wheelonly restricted)
newuidmap restricted (public wheelonly restricted)
password-hash yescrypt (sha512crypt yescrypt)
password-policy passwdqc (pwquality passwdqc)
write restricted (public restricted)
```
The default settings (typically `public`) correspond to EL packages' defaults (and are typically the most relaxed security-wise).
Please refer to `control(8)` man page for command-line usage syntax.
@ -49,9 +65,18 @@ Facility specifications corresponding to the `shadow-utils` package. Currently,
Facility specifications corresponding to the `util-linux` and `util-linux-core` packages. Currently, these allow to `control` access to 3 privileged programs - 2 of them (`mount` and `umount`) are by default SUID root and 1 (`write`) SGID `tty`.
#### control-pam
Facility specifications corresponding to the `pam` package. Currently, these allow to `control` user password hashing scheme and password policy in use by PAM-aware programs.
### Change log
```
* Wed Dec 27 2023 Solar Designer <solar@openwall.com> 0.8.0-5
- Install control(8) mode 755 since some of its features work as non-root
- Add sub-package with facilities and triggers for pam password hashing and
password policy
* Mon Dec 18 2023 Solar Designer <solar@openwall.com> 0.8.0-4
- Add sub-package with facilities and triggers for util-linux

View file

@ -24,7 +24,7 @@ There are 5 sub-packages:
`pam_passwdqc` is a PAM module that is normally invoked on password changes by programs such as `passwd(1)`. It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable.
Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, please edit PAM configuration files e.g. like [shown here](https://github.com/openwall/passwdqc/issues/19#issuecomment-1140262371).
Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, on EL9 use our [control](control.md), or on either EL8 or EL9 you may edit PAM configuration files manually e.g. like [shown here](https://github.com/openwall/passwdqc/issues/19#issuecomment-1140262371).
#### passwdqc-utils