Local Password policy
-
Is there a configuration or setting in place to enforce local user passwords with length and complexity?
-
No. Using an external authentication server would be the best way to do that if you need it.
Steve
-
@stephenw10 While using an external authentication server would be the best way to do this for additional users, there should still be password controls for local accounts (such as break-glass admin accounts) in order to be compliant with PCI/SOC2. Lots of other appliances support password policies while also supporting external authentication and it isn't a difficult thing to implement I feel like.
-
It would be certainly be a nice feature to have. Using an external auth server is the only way to do it currently though so still the best answer to that question.
I don't see an open feature request for it so you could add one:
https://redmine.pfsense.org/Steve
-
When the pfSense admin (the human) is
@hlrobert said in Local Password policy:
compliant with PCI/SOC2
then the question is solved, right ?
Things like "enforce local user passwords" is common knowledge for people that are administrating a firewall.
Like, when you join the Marin force, no one will ask you if you can swim neither ;)Normally, there is only one person who connects to the GUI or the SSH access. That's the admin, a human, or more then one, who know far more as the basic security rules.
You can reserve a LAN type interface for the admin access only, and physically disconnect this interface. All other interfaces use firewall rules that forbid access to pfSense ports 443 and 22.SSH access can be set to use "public key only".
Is there a reason why multiple users should have access to a firewall / router ?
Note, there is one that I know of : when you use the local user manager to grant access to your local captive portal, then yes, there could be be multiple 'pfSense' users.
But these should not have admin access, can not connect to the GUI, their user-name and password should only works on the portal login page, and that's not the pfSense GUI.Btw : I'm not debating that "the user/admin should know better", and I agree that, if the system can enforce and automate security rules, that's always better as 'just the human'.
Password enforcement could be as simple as : https://docs.freebsd.org/en/books/handbook/security/#security-pwpolicy but be careful, one slights error and you could be locked out of the system.
I did not test this myself.Btw : /usr/lib/pam_passwdqc.so exists on pfSense.
-
@gertjan My PCI/SOC2 auditor would like to talk to you.
-
@hlrobert said in Local Password policy:
My PCI/SOC2 auditor would like to talk to you.
I known you're joking ;)
When handling private data like credit card stuff, medical data, or worse, army stuff, all bets are off. Even simple systems that handle the power grid should be seriously protected, because it's the blood of our society.
I only need one training when I have to deal with "PCI/SOC2" : and that is wrting clear and correct huge payment checks, as I would eject myself out of the "I know that" position.
I would pay some one. And sue the hell out of him when thing go wrong.