Configurable Password Policy
Overview
A password is a sequence of characters utilized to confirm a user's identity in the authentication procedure. A strong password helps to protect user accounts and prevents unauthorized access. Strong passwords are the first defense against cyberattacks. Hackers commonly use automated tools to crack passwords. Weak passwords are easily guessed or cracked. Every organization encourages its users to use long passwords combining alphanumeric and special characters. A lengthy password is more complex for hackers, who also need to invest a lot of time to hack the system.
OcNOS manages the user account and its password in its OcNOS configuration, then their password is reflected to LINUX standard user management db,/etc/passwd and /etc/shadow.
The password expiration settings in OcNOS and in the standard user management system in LINUX are not always identical. Since the operation of the OcNOS shell is not the same as that of standard shells like bash, similar mechanisms must be implemented in the OcNOS shell to enforce default password changes and set expiration dates.
Feature Characteristics
Setting up strong passwords safeguards sensitive data associated with user accounts, including those of employees and customers, against unauthorized access.
Integrating PAM to OcNOS
Privileged Access Management (PAM) is a third party pluggable security tool that protects organizations from cyberthreats by overseeing, detecting, and thwarting unauthorized privileged access to vital resources.
To satisfy customer requirements, use pam_pwquality or pam_history, standard PAM modules in LINUX. These are more optimal than implementing a custom password-strength verification system within this system.
When a user sets a password in plain text, it is immediately hashed, and from then on, this hashed password is used for internal management to save settings. The plain text password is not stored anywhere. However, the verification of password strength through PAM is only possible with the plain text password, hence verification can only be conducted while the plain text password is available.
In OcNOS, an actual password change is not performed while the plain text password is held. When a 'commit' operation is executed, it is saved until 'write' operation is executed. However, since PAM cannot verify the strength of a password without setting it, OcNOS temporarily sets the password and while holdd the plain text password to check if the new password meets the password policy and can be changed. If it meets the policy and the password is changed, a process is necessary to revert to the original password.
PAM modules are configured in /etc/security/pwquality.conf and /etc/pam.d/common_password. This system internally holds default values based on customer requirements and sets them in these files at system startup. These files are updated if the corresponding configuration values are changed through the CLI and prompts user to update the default password.
To update these default passwords, check if the encrypted password calculated by its username and then prompt the user to update the password. Since the user ‘OcNOS’ shell is ‘cmlsh’ and the ‘root’ shell is ‘bash’, this code is developed independently. For the OcNOS user, it is implemented in cmlsh_start() in cmlsh_main. For the root user, it is done in /root/.bash
Benefits
• Strong passwords protect user accounts and devices from unauthorized access and safeguard sensitive information.
• If the passwords are complex, data is safe from cyber threats and hackers.
Configuration
The OcNOS configuration triggers all user management or password updates including LINUX accounts.
The below configurations allow the user to authenticate the password policy.
Topology
Use the OcNOS interface to configure user accounts, such as creating, disabling passwords and maintain user accounts information.
The image illustrates a method for authenticating and authorizing user account passwords.
OcNOS
OcNOS Device
1. Enable the aaa local authentication password-policy
OcNOS#configure terminal
OcNOS(config)#aaa local authentication password-policy
OcNOS(config)#commit
2. Configure the aaa local authentication password-policy parameter to perform the below actions.
OcNOS(config)#aaa local authentication password-policy disable-usercheck
OcNOS(config)#aaa local authentication password-policy history 10
OcNOS(config)#aaa local authentication password-policy lowercase-count 3
OcNOS(config)#aaa local authentication password-policy maxrepeat 2
OcNOS(config)#aaa local authentication password-policy maxsequence 3
OcNOS(config)#aaa local authentication password-policy min-length 10
OcNOS(config)#aaa local authentication password-policy numeric-count 3
OcNOS(config)#aaa local authentication password-policy special-count 3
OcNOS(config)#aaa local authentication password-policy uppercase-count 2
Validation 1
Before enabling the local authentication password-policy.
# show aaa authentication password-policy
Password policy parameter:
Password policy feature: Disabled
Minimum number of digit: 1
Minimum number of uppercase character: 1
Minimum number of lowercase character: 1
Minimum number of special character: 1
Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
After enabling the local authentication password-policy.
#show running-config
aaa local authentication password-policy
#show aaa authentication password-policy
Password policy parameter:
Password policy feature: Enabled
Minimum number of digit: 1
Minimum number of uppercase character: 1
Minimum number of lowercase character: 1
Minimum number of special character: 1
Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
Validation 2
#show aaa authentication password-policy
Password policy parameter:
Password policy feature: Enabled
Minimum number of digit: 3
Minimum number of uppercase character: 2
Minimum number of lowercase character: 3
Minimum number of special character: 3
Allowed the number of monotonic character sequences: 3
Username check: Disabled
Allowed the number of same consecutive characters: 2
Minimum length of password: 10
Number of remembered passwords: 10
Implementation Examples
Set own password policy parameter and enter the password not as per the password-policy.
OcNOS(config)#username OcNOS role network-admin password Testing@123
BAD PASSWORD: The password contains less than 2 uppercase letters.
%% The password is too weak.
Password-policy logs.
OcNOS(config)#username OcNOS role network-admin password T3$$Ting@123
OcNOS(config)#commit
OcNOS(config)#
Based on the above configuration set the password in the below format:
• Uppercase characters: 2
• Lowercase characters:3
• Special characters:3
• Numerical characters: 3
• Total Password length: 12
New CLI Commands
The configurable password policy introduces the following configuration commands.
aaa authentication password-policy
Use this command to verify the output for password-policy.
Command Syntax
# show aaa authentication password-policy
Parameters
None
Default
None
Command Mode
Privilege mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
OcNOS# show aaa authentication password-policy
Password policy parameter:
Password policy feature: Enabled
Minimum number of digit: 1
Minimum number of uppercase character: 1
Minimum number of lowercase character: 1
Minimum number of special character: 1
Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
aaa local authentication password-policy
Use this command to enable/disable the password-policy.
Use no parameter of this command to disable.
Command Syntax
aaa local authentication password-policy
no aaa local authentication password-policy
Parameters
Not applicable
Default
Note: The aaa local authentication password-policy is disabled under authentication password policy.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
OcNOS#configure terminal
Ocnos(config)#aaa local authentication password-policy
Ocnos(config)#commit
aaa local authentication password-policy numeric-count
Use this command to set the minimum number of digits.
Use no parameter of this command to get the default value.
Command Syntax
aaa local authentication password-policy numeric-count <1-32>
no aaa local authentication password-policy numeric-count <1-32>
Parameters
<1-32>
Specifies the numeric count range.
Default
Note: The aaa local authentication password-policy numeric-count value is 1.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
#configure terminal
config)#aaa local authentication password-policy numeric-count 2
config)#commit
#show aaa authentication password-policy
config)# no aaa local authentication password-policy numeric-count
config)# commit
#show aaa authentication password-policy
aaa local authentication password-policy uppercase-count
Use this command to set the minimum number of uppercase characters.
Use no parameter of this command to get the default value.
Command Syntax
aaa local authentication password-policy uppercase-count <1-32>
Parameters
<1-32>
Specifies the uppercase characters count range.
Default
Note: The aaa local authentication password-policy uppercase-count value is 1.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
#configure terminal
config)#aaa local authentication password-policy uppercase-count 2
config)#commit
#show aaa authentication password-policy
config)# no aaa local authentication password-policy uppercase-count
config)# commit
#show aaa authentication password-policy
aaa local authentication password-policy lowercase-count
Use this command to set the minimum number of lowercase character.
Use no parameter of this command to get the default value.
Command Syntax
aaa local authentication password-policy lowercase-count <1-32>
Parameters
<1-32>
Specifies the minimum number of uppercase characters range.
Default
Note: The aaa local authentication password-policy uppercase-count value is 1.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
#configure terminal
(config)#aaa local authentication password-policy lowercase-count 2
(config)#commit
#show aaa authentication password-policy
(config)# no aaa local authentication password-policy lowercase-count
(config)# commit
#show aaa authentication password-policy
aaa local authentication password-policy special-count
Use this command to set the minimum number of special character.
Use no parameter of this command to get the default value.
Command Syntax
aaa local authentication password-policy special-count <1-32>
Parameters
<1-32>
Specifies the minimum number of special characters range.
Default
Note: The aaa local authentication password-policy special-count value is 1.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
#configure terminal
(config)#aaa local authentication password-policy special-count 2
(config)#commit
#show aaa authentication password-policy
(config)# no aaa local authentication password-policy special-count
(config)# commit
#show aaa authentication password-policy
aaa local authentication password-policy maxsequence
Use this command to set the number of monotonic character sequence.
Use no parameter of this command to get the default value.
Command Syntax
aaa local authentication password-policy maxsequence <1-32>
Parameters
<1-32>
Specifies the monotonic character sequences characters range.
Default
Note: The aaa local authentication password-policy maxsequence value is 5.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
#configure terminal
(config)#aaa local authentication password-policy maxsequence 7
(config)#commit
#show aaa authentication password-policy
(config)# no aaa local authentication password-policy maxsequence
(config)# commit
#show aaa authentication password-policy
aaa local authentication password-policy maxrepeat
Use this command to set the same consecutive character.
Use no parameter of this command to get the default value.
Command Syntax
aaa local authentication password-policy maxrepeat <1-32>
Parameters
<1-32>
Specifies the same consecutive character range.
Default
Note: The aaa local authentication password-policy maxrepeat value is 1.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
#configure terminal
(config)#aaa local authentication password-policy maxrepeat 2
(config)#commit
#show aaa authentication password-policy
(config)# no aaa local authentication password-policy maxrepeat
(config)# commit
#show aaa authentication password-policy
aaa local authentication password-policy min-length
Use this command to set the minimum length of password.
Use no parameter of this command to get the default value.
Command Syntax
aaa local authentication password-policy min-length <8-32>
Parameters
<8-32>
Specifies the minimum password length range.
Default
Note: The aaa local authentication password-policy min-length value is 8.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
#configure terminal
(config)#aaa local authentication password-policy min-length 10
(config)#commit
#show aaa authentication password-policy
(config)# no aaa local authentication password-policy min-length
(config)# commit
Ocnos#show aaa authentication password-policy
aaa local authentication password-policy history
Use this command to set the remembered password.
Use no parameter of this command to get the default value.
Command Syntax
aaa local authentication password-policy history <1-400>
Parameters
<1-400>
Specifies the password history range
Default
Note: The aaa local authentication password-policy history value is 5.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
#configure terminal
(config)#aaa local authentication password-policy history 10
(config)#commit
#show aaa authentication password-policy
(config)# no aaa local authentication password-policy history
(config)# commit
#show aaa authentication password-policy
aaa local authentication password-policy disable-usercheck
Use this command to set the enable/disable the username check .
Use no parameter of this command to get the default value.
Command Syntax
aaa local authentication password-policy disable-usercheck
Parameters
<1-400>
Specifies the password disable range
Default
Note: The aaa local authentication password-policy usercheck is enabled under authentication password-policy.
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.1.
Example
#configure terminal
(config)#aaa local authentication password-policy disable-usercheck
(config)#commit
#show aaa authentication password-policy
(config)# no aaa local authentication password-policy disable-usercheck
(config)# commit
#show aaa authentication password-policy
Max Password Age
The maximum age for a user password for OcNOS is 60 days.The password policy setting describes how long users can use their password before it expires. This helps the users periodically change their passwords. When a user’s password is updated, the expiry is set according to the user’s role. This can be modified or updated per user. Once the expiry is set at the user level, the system will check for user-level expiry.
When a user logs in and cmlsh is invoked for the admin user, the admin user is prompted to change the password. A non- admin receives a message to contact the admin to update the password. If the user password has e xpired and it is not updated within the next 30 days, the user account removed from the database.
All these features are enabled and disabled entirely with a CLI. When disabled, /etc/pam.d/common-password should be updated not to use both pam_pwquality and pam_pwhistory modules.
Configuration
The below configurations allow the user to authenticate the maximum password age.
OcNOS Device
1. Enable the aaa local authentication password-policy
OcNOS#configure terminal
OcNOS(config)#aaa local authentication password-policy
OcNOS(config)#commit
2. Configure the aaa local authentication password expire for user and role
OcNOS(config)#aaa local authentication expire 40 role network-admin
OcNOS(config)#aaa local authentication expire 45 role network-engineer
OcNOS(config)#aaa local authentication expire 35 role network-operator
OcNOS(config)#aaa local authentication expire 50 role network-user
OcNOS(config)#aaa local authentication expire 50 user Test1
OcNOS(config)#commit
Note: The password will not expire, if we select the number of days as 0.
Validation 1
Before enabling the local authentication password-policy.
# show aaa authentication password-policy
Password policy parameter:
Minimum number of digit: 1
Minimum number of uppercase character: 1
Minimum number of lowercase character: 1
Minimum number of special character: 1
Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
network-admin expiration days: Disabled
network-engineer expiration days: Disabled
network-operator expiration days: Disabled
network-user expiration days: Disabled
After enable the local authentication password-policy.
By default, password expire is enable as well
# sh aaa authentication password-policy
Password policy parameter:
Password policy feature: Enabled
Minimum number of digit: 1
Minimum number of uppercase character: 1
Minimum number of lowercase character: 1
Minimum number of special character: 1
Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
network-admin expiration days: 30
network-engineer expiration days: 60
network-operator expiration days: 60
network-user expiration days: 60
After configuring the password expire for role and user.
#sh aaa authentication password-policy
Password policy parameter:
Password policy feature: Enabled
Minimum number of digit: 1
Minimum number of uppercase character: 1
Minimum number of lowercase character: 1
Minimum number of special character: 1
Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
network-admin expiration days: 40
network-engineer expiration days: 45
network-operator expiration days: 35
network-user expiration days: 50
Test1: will expire in 50 days!!!
New CLI Commands
The maximum password policy introduces the following configuration commands.
aaa local authentication password expire for role
Use this command to enable or disable the password expire for role.
Use no parameter of this command to disable.
Command Syntax
aaa local authentication password expire <0-1000> role <rolename>
no aaa local authentication password expire role <rolename>
Parameters
<0-1000>
days
Default
Disabled
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.3.
Example
OcNOS#configure terminal
Ocnos(config)#aaa local authentication password expire 50 role <role-name>
network-admin Enter the rolename - Network Administrator - Have all
permissions
network-engineer Enter the rolename - Network Engineer - Can save
configuration
network-operator Enter the rolename - Network Operator - Can not save
configuration
network-user Enter the rolename - Network User - Can not change
configuration
Ocnos(config)#commit Allowed the number of monotonic character sequences: 5
Username check: Enabled
Allowed the number of same consecutive characters: 1
Minimum length of password: 8
Number of remembered passwords: 5
aaa local authentication password expire for user
Use this command to enable or disable the password expire for role.
Use no parameter of this command to disable.
Command Syntax
aaa local authentication password expire <0-1000> user <user-name>
no aaa local authentication password expire user <user-name>
Parameters
<0-1000>
days
Default
Disabled
Command Mode
Configure mode
Applicability
Introduced in OcNOS version 6.5.3.
Example
OcNOS#configure terminal
Ocnos(config)#aaa local authentication password expire 50 user <user-name>
Ocnos(config)#commit
Removing Users with Expired Passwords
When a user’s password is updated, the on set depending on the user’s role. This is modified per user. Once the expiry is set, the system will automatically check for expired passwords. When a user logs in and cmlsh is invoked, for the admin user the user will be prompted to change the password. A non- admin user will receive a message to contact the admin to update the password.
If the user is expired and never update password or expiry for next 30 days, that user is removed from the database. All these features are enabled or disabled entirely with a CLI. When disabled, /etc/pam.d/common-password needs to be updated but not to use both pam_pwquality and pam_pwhistory modules.
Note: When updating a user’s level expiry, any days already lapsed are deducted from the new expiry value. If the updated value is greater than the remaining days, it becomes the new remaining days. For example, if a user initially has 20 days and, after 5 days, the expiry is updated to 30 days, the user will have 25 days left (30 - 5). Conversely, if the expiry is updated to 10 days after 5 days have passed, the remaining time is set to 10 days.
Glossary
The following glossary provides definitions for key terms or abbreviations and their meanings used throughout this document:
Key Terms/Acronym | Description |
PAM | Privileged Access Management s a third party pluggable security tool that protects organization from cyberthreats by overseeing. |