control-pam: Add password hashing and password policy controls #21

Merged
neil merged 1 commits from solardiz-patch-19 into main 2023-12-28 15:25:50 +00:00
3 changed files with 32 additions and 3 deletions
Showing only changes of commit a270dfad83 - Show all commits

View File

@ -2,6 +2,10 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## December 27, 2023
[control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs.
## December 18, 2023 ## December 18, 2023
This SIG/Security News wiki page has been created, retroactively identifying and listing selected news items so far. This SIG/Security News wiki page has been created, retroactively identifying and listing selected news items so far.

View File

@ -2,7 +2,7 @@
## EL9 ## EL9
- Version `0.8.0-4.el9_3.security` - Version `0.8.0-5.el9_3.security`
### Package summary ### Package summary
@ -17,7 +17,7 @@ We manage permissions on SUID/SGID/setcap programs because those programs pose r
While the original `control` package in Owl and ALT Linux merely provides the common interface mentioned above for other packages to register their facilities with (and many packages in those distros do), it's been adapted in Rocky Linux to provide its own sub-packages with facility specifications and RPM trigger scripts for other packages coming from EL. This way, we can `control` those facilities and have custom settings persist (be automatically saved and restored) over package upgrades without us having to maintain forks of those other packages. While the original `control` package in Owl and ALT Linux merely provides the common interface mentioned above for other packages to register their facilities with (and many packages in those distros do), it's been adapted in Rocky Linux to provide its own sub-packages with facility specifications and RPM trigger scripts for other packages coming from EL. This way, we can `control` those facilities and have custom settings persist (be automatically saved and restored) over package upgrades without us having to maintain forks of those other packages.
The available facilities, their current settings, and lists of possible settings can be queried by running the `control` command without parameters. With all currently available sub-packages installed, its output may be: The available facilities, their current settings, and lists of possible settings can be queried by running the `control` command without parameters. With all currently available sub-packages installed and upstream default settings, its output is:
``` ```
chage public (public restricted) chage public (public restricted)
@ -26,9 +26,25 @@ mount public (public wheelonly unprivileged restricted)
newgidmap public (public wheelonly restricted) newgidmap public (public wheelonly restricted)
newgrp public (public wheelonly restricted) newgrp public (public wheelonly restricted)
newuidmap public (public wheelonly restricted) newuidmap public (public wheelonly restricted)
password-hash sha512crypt (sha512crypt yescrypt)
password-policy pwquality (pwquality passwdqc)
write public (public restricted) write public (public restricted)
``` ```
With maximum security hardening, it changes to:
```
chage restricted (public restricted)
gpasswd restricted (public wheelonly restricted)
mount restricted (public wheelonly unprivileged restricted)
newgidmap restricted (public wheelonly restricted)
newgrp restricted (public wheelonly restricted)
newuidmap restricted (public wheelonly restricted)
password-hash yescrypt (sha512crypt yescrypt)
password-policy passwdqc (pwquality passwdqc)
write restricted (public restricted)
```
The default settings (typically `public`) correspond to EL packages' defaults (and are typically the most relaxed security-wise). The default settings (typically `public`) correspond to EL packages' defaults (and are typically the most relaxed security-wise).
Please refer to `control(8)` man page for command-line usage syntax. Please refer to `control(8)` man page for command-line usage syntax.
@ -49,9 +65,18 @@ Facility specifications corresponding to the `shadow-utils` package. Currently,
Facility specifications corresponding to the `util-linux` and `util-linux-core` packages. Currently, these allow to `control` access to 3 privileged programs - 2 of them (`mount` and `umount`) are by default SUID root and 1 (`write`) SGID `tty`. Facility specifications corresponding to the `util-linux` and `util-linux-core` packages. Currently, these allow to `control` access to 3 privileged programs - 2 of them (`mount` and `umount`) are by default SUID root and 1 (`write`) SGID `tty`.
#### control-pam
Facility specifications corresponding to the `pam` package. Currently, these allow to `control` user password hashing scheme and password policy in use by PAM-aware programs.
### Change log ### Change log
``` ```
* Wed Dec 27 2023 Solar Designer <solar@openwall.com> 0.8.0-5
- Install control(8) mode 755 since some of its features work as non-root
- Add sub-package with facilities and triggers for pam password hashing and
password policy
* Mon Dec 18 2023 Solar Designer <solar@openwall.com> 0.8.0-4 * Mon Dec 18 2023 Solar Designer <solar@openwall.com> 0.8.0-4
- Add sub-package with facilities and triggers for util-linux - Add sub-package with facilities and triggers for util-linux

View File

@ -24,7 +24,7 @@ There are 5 sub-packages:
`pam_passwdqc` is a PAM module that is normally invoked on password changes by programs such as `passwd(1)`. It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable. `pam_passwdqc` is a PAM module that is normally invoked on password changes by programs such as `passwd(1)`. It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable.
Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, please edit PAM configuration files e.g. like [shown here](https://github.com/openwall/passwdqc/issues/19#issuecomment-1140262371). Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, on EL9 use our [control](control.md), or on either EL8 or EL9 you may edit PAM configuration files manually e.g. like [shown here](https://github.com/openwall/passwdqc/issues/19#issuecomment-1140262371).
#### passwdqc-utils #### passwdqc-utils