Bug 16244
| Summary: | [PATCH] don't allow password re-use when changing passwords | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Scott Gasch <scott> | ||||
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | 1.0-RELEASE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Responsible Changed From-To: gnats-admin->freebsd-bugs gnats-admin is not a valid person to have a responsibility. State Changed From-To: open->closed FreeBSD: "Tools, not policy." |
Hello, Enclosed is a patch to /usr/bin/passwd. The purpose of this code is to not allow users to reuse the same password again when they change their password (either voluntarilly or by force). The code works by maintaining a password history (HIST_FILE, default to /etc/passwd.hist) file where the last HIST_COUNT encrypted passwords of users are stored (HIST_COUNT being configurable). Only the passwords of users whose login class includes the boolean "usepasswordhist" capability are tracked in this history file. The file is created uid 0 gid 0 mode 0600 and every time it is read/written this setting is checked and, if needed, reset. When a user whose login class includes "usepasswordhist" in it changes his/her password the new password is compared to the ones already on record in the HIST_FILE. If it matches any of the old passwords the new password is refused. Like the other password restrictions this mechanism will allow root to insist on the new password after warning once. There is code in place to handle users who write scripts to quickly rotate their passwords in an attempt to beat the system. Specifically, if a user's old password list is full (contains HIST_COUNT old passowords) and the newest of the old passwords is less than HIST_TIME seconds old (default to 3600) when the user changes his password again, the new password simply replaces the newest old password on the history list. Of course if the newest old password on the list is older than HIST_TIME seconds, the list is rippled down and the oldest entry is lost. Also, I understand that individual users can specify their own personal login.conf files and could probably override the "usepasswordhist" capability as it is not protected. I understand that this code might not be for everyone. There are several reasons for this: First, it creates another file with encrypted passwords in it. Even though it keeps an eye on the security of this file and this file only contains old passwords in encrypted format it is not something one would want to share with bad guys. Also, with this new code, the clear text new password stays in memory longer. To me this is a minor issue but I suppose it might bother some people. Indeed the entire password history file (and all the encrypted passwords therein) is in memory during the execution of passwd. Finally it might be argued that a mechanism such as this one where a user is forced to change their password to a unique one coupled with a policy where users must change their passwords every N days may decrease overall security by encouraging people to write passwords down or use passwords in a logical progression. I posted on hackers about this idea and no one seemed very interested... Still, this code may be useful and may be something you are interested in. Users in login classes without the "usepasswordhist" capability defined are, of course, do not use this mechanism and their old passwords are not tracked in the HIST_FILE. Also, the code is only included if you define PASS_HIST while building passwd. Anyway, here's the patch along with two new files (passhist.c and passhist.h). The patch is against CURRENT as of today... it's in shar format in the How-To-Repeat section. The two new files are meant to be dropped in /usr/src/usr.bin/passwd along with the rest. I have not tried this on a YP system but suspect it would be pretty useless as it will store the passwd.hist file on each individual machine. I do not have a YP system setup here but I suspect adapting this to YP would be simple. Hope this is something useful and thanks for your time (and a great OS!). Scott