A few years ago I created D27656[1]. It did not gain much interest, but it's still relevant. Yesterday I looked at the Security chapter of the FreeBSD Handbook and found no consistent example of enforcing password policies[2]. Where is the problem? When the user's password expires, the password change will be enforced immediately upon logging in and the policy enforcement set in /etc/pam.d/passwd will not be applied. In case of an expired password, password policy enforcement will only work if set in the appropriate pam.d config file corresponding to the authentication method (usually /etc/pam.d/sshd or /etc/pam.d/login). Moreover, in the case of an expired password, the password change will be done under uid 0, so only enforce=everyone makes sense. Maybe we can fix it by extending examples, but probably the right way will be to change PAM modules internally to better handle changing expired passwords. To reproduce: - Configure system following[2] - Set: "pw user mod exampleuser -p 31-Dec-2023" - Login via console or ssh to the system as exampleuser and set password to empty (just press enter twice). Over 3 years ago I found it as a foot-shooting issue and spent a few hours figuring out how was it possible that some users have set empty passwords, but I think that more people enforcing password policies might be affected. 1. https://reviews.freebsd.org/D27656 2. https://docs.freebsd.org/en/books/handbook/security/#security-pwpolicy
Created attachment 247742 [details] patch extending examples
I am sorry for the noise. It looks like in the meantime the flaw got fixed since I am no longer able to reproduce it either on stable/13 or stable/14.