Configurable Password Policy

Overview

A password is a sequence of characters utilized to confirm a user's identity in the authentication procedure. A strong password helps to protect user accounts and prevents unauthorized access. Strong passwords are the first defense against cyberattacks. Hackers commonly use automated tools to crack passwords. Weak passwords are easily guessed or cracked. Every organization encourages its users to use long passwords combining alphanumeric and special characters. A lengthy password is more complex for hackers, who also need to invest a lot of time to hack the system.

OcNOS manages the user account and its password in its OcNOS configuration, then their password is reflected to LINUX standard user management db,/etc/passwd and /etc/shadow.

The password expiration settings in OcNOS and in the standard user management system in LINUX are not always identical. Since the operation of the OcNOS shell is not the same as that of standard shells like bash, similar mechanisms must be implemented in the OcNOS shell to enforce default password changes and set expiration dates.

Feature Characteristics

Setting up strong passwords safeguards sensitive data associated with user accounts, including those of employees and customers, against unauthorized access.

Integrating PAM to OcNOS

Privileged Access Management (PAM) is a third party pluggable security tool that protects organizations from cyberthreats by overseeing, detecting, and thwarting unauthorized privileged access to vital resources.

To satisfy customer requirements, use pam_pwquality or pam_history, standard PAM modules in LINUX. These are more optimal than implementing a custom password-strength verification system within this system.

When a user sets a password in plain text, it is immediately hashed, and from then on, this hashed password is used for internal management to save settings. The plain text password is not stored anywhere. However, the verification of password strength through PAM is only possible with the plain text password, hence verification can only be conducted while the plain text password is available.

In OcNOS, an actual password change is not performed while the plain text password is held. When a 'commit' operation is executed, it is saved until 'write' operation is executed. However, since PAM cannot verify the strength of a password without setting it, OcNOS temporarily sets the password and while holdd the plain text password to check if the new password meets the password policy and can be changed. If it meets the policy and the password is changed, a process is necessary to revert to the original password.

PAM modules are configured in /etc/security/pwquality.conf and /etc/pam.d/common_password. This system internally holds default values based on customer requirements and sets them in these files at system startup. These files are updated if the corresponding configuration values are changed through the CLI and prompts user to update the default password.

To update these default passwords, check if the encrypted password calculated by its username and then prompt the user to update the password. Since the user ‘OcNOS’ shell is ‘cmlsh’ and the ‘root’ shell is ‘bash’, this code is developed independently. For the OcNOS user, it is implemented in cmlsh_start() in cmlsh_main. For the root user, it is done in /root/.bash

Benefits

  • Strong passwords protect user accounts and devices from unauthorized access and safeguard sensitive information.
  • If the passwords are complex, data is safe from cyber threats and hackers.

Configuration

The OcNOS configuration triggers all user management or password updates including LINUX accounts.

The below configurations allow the user to authenticate the password policy.

Topology

Use the OcNOS interface to configure user accounts, such as creating, disabling passwords and maintain user accounts information.

The image illustrates a method for authenticating and authorizing user account passwords.

Figure 22. OcNOS

OcNOS Device

  1. Enable the aaa local authentication password-policy.

    Copy 
    OcNOS#configure terminal
    OcNOS(config)#aaa local authentication password-policy
    OcNOS(config)#commit

  2. Configure the aaa local authentication password-policy parameter to perform the below actions.

    Copy 
    OcNOS(config)#aaa local authentication password-policy disable-usercheck
    OcNOS(config)#aaa local authentication password-policy history 10
    OcNOS(config)#aaa local authentication password-policy lowercase-count 3
    OcNOS(config)#aaa local authentication password-policy maxrepeat 2
    OcNOS(config)#aaa local authentication password-policy maxsequence 3
    OcNOS(config)#aaa local authentication password-policy min-length 10
    OcNOS(config)#aaa local authentication password-policy numeric-count 3
    OcNOS(config)#aaa local authentication password-policy special-count 3
    OcNOS(config)#aaa local authentication password-policy uppercase-count 2 

Validation 1

Before enabling the local authentication password-policy.

Copy 
# show aaa authentication password-policy 
 
Password policy parameter: 
 
Password policy feature: Disabled 
Minimum number of digit: 1 
Minimum number of uppercase character: 1 
Minimum number of lowercase character: 1 
Minimum number of special character: 1 
Allowed the number of monotonic character sequences: 5 
Username check: Enabled 
Allowed the number of same consecutive characters: 1 
Minimum length of password: 8 
Number of remembered passwords: 5 

After enabling the local authentication password-policy.

Copy 
#show running-config 
 
aaa local authentication password-policy 
 
#show aaa authentication password-policy 
 
Password policy parameter: 
Password policy feature: Enabled
Minimum number of digit: 1 
Minimum number of uppercase character: 1 
Minimum number of lowercase character: 1 
Minimum number of special character: 1 
Allowed the number of monotonic character sequences: 5 
Username check: Enabled 
Allowed the number of same consecutive characters: 1 
Minimum length of password: 8 
Number of remembered passwords: 5 

Validation 2

Copy 
#show aaa authentication password-policy 
 
Password policy parameter: 
Password policy feature: Enabled 
Minimum number of digit: 3 
Minimum number of uppercase character: 2 
Minimum number of lowercase character: 3 
Minimum number of special character: 3 
Allowed the number of monotonic character sequences: 3 
Username check: Disabled 
Allowed the number of same consecutive characters: 2 
Minimum length of password: 10 
Number of remembered passwords: 10 

Implementation Examples

Set own password policy parameter and enter the password not as per the password-policy.

Copy 
OcNOS(config)#username OcNOS role network-admin password Testing@123 

BAD PASSWORD: The password contains less than 2 uppercase letters.

%% The password is too weak.

Password-policy logs

Copy 
OcNOS(config)#username OcNOS role network-admin password T3$$Ting@123 
OcNOS(config)#commit 
OcNOS(config)# 

Based on the above configuration set the password in the below format:

  • Uppercase characters: 2
  • Lowercase characters:3
  • Special characters:3
  • Numerical characters: 3
  • Total Password length: 12