A password is a sequence of characters utilized to confirm a user's identity in the authentication procedure. A strong password helps to protect user accounts and prevents unauthorized access. Strong passwords are the first defense against cyberattacks. Hackers commonly use automated tools to crack passwords. Weak passwords are easily guessed or cracked. Every organization encourages its users to use long passwords combining alphanumeric and special characters. A lengthy password is more complex for hackers, who also need to invest a lot of time to hack the system.

OcNOS manages the user account and its password in its OcNOS configuration, then their password is reflected to LINUX standard user management db,/etc/passwd and /etc/shadow.

The password expiration settings in OcNOS and in the standard user management system in LINUX are not always identical. Since the operation of the OcNOS shell is not the same as that of standard shells like bash, similar mechanisms must be implemented in the OcNOS shell to enforce default password changes and set expiration dates.

Privileged Access Management (PAM) is a third party pluggable security tool that protects organizations from cyberthreats by overseeing, detecting, and thwarting unauthorized privileged access to vital resources.

To satisfy customer requirements, use pam_pwquality or pam_history, standard PAM modules in LINUX. These are more optimal than implementing a custom password-strength verification system within this system.

When a user sets a password in plain text, it is immediately hashed, and from then on, this hashed password is used for internal management to save settings. The plain text password is not stored anywhere. However, the verification of password strength through PAM is only possible with the plain text password, hence verification can only be conducted while the plain text password is available.

In OcNOS, an actual password change is not performed while the plain text password is held. When a 'commit' operation is executed, it is saved until 'write' operation is executed. However, since PAM cannot verify the strength of a password without setting it, OcNOS temporarily sets the password and while holdd the plain text password to check if the new password meets the password policy and can be changed. If it meets the policy and the password is changed, a process is necessary to revert to the original password.

PAM modules are configured in /etc/security/pwquality.conf and /etc/pam.d/common_password. This system internally holds default values based on customer requirements and sets them in these files at system startup. These files are updated if the corresponding configuration values are changed through the CLI and prompts user to update the default password.

To update these default passwords, check if the encrypted password calculated by its username and then prompt the user to update the password. Since the user ‘OcNOS’ shell is ‘cmlsh’ and the ‘root’ shell is ‘bash’, this code is developed independently. For the OcNOS user, it is implemented in cmlsh_start() in cmlsh_main. For the root user, it is done in /root/.bash

The OcNOS configuration triggers all user management or password updates including LINUX accounts.

The below configurations allow the user to authenticate the password policy.

Use the OcNOS interface to configure user accounts, such as creating, disabling passwords and maintain user accounts information.

The image illustrates a method for authenticating and authorizing user account passwords.

Before enabling the local authentication password-policy.

After enabling the local authentication password-policy.

 

BAD PASSWORD: The password contains less than 2 uppercase letters.

 

Password-policy logs.

Based on the above configuration set the password in the below format:

The configurable password policy introduces the following configuration commands.

None

None

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to disable.

None

The aaa local authentication password-policy is disabled under authentication password policy.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy numeric-count value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy uppercase-count value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy uppercase-count value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy special-count value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy maxsequence value is 5.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy maxrepeat value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy min-length value is 8.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy history value is 5.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy usercheck is enabled under authentication password-policy.

Introduced in OcNOS version 6.5.1.

The maximum age for a user password for OcNOS is 60 days.The password policy setting describes how long users can use their password before it expires. This helps the users periodically change their passwords. When a user’s password is updated, the expiry is set according to the user’s role. This can be modified or updated per user. Once the expiry is set at the user level, the system will check for user-level expiry.

When a user logs in and cmlsh is invoked for the admin user, the admin user is prompted to change the password. A non- admin receives a message to contact the admin to update the password. If the user password has e xpired and it is not updated within the next 30 days, the user account removed from the database.

All these features are enabled and disabled entirely with a CLI. When disabled, /etc/pam.d/common-password should be updated not to use both pam_pwquality and pam_pwhistory modules.

The below configurations allow the user to authenticate the maximum password age.

Before enabling the local authentication password-policy.

After enable the local authentication password-policy.

Password policy parameter:

After configuring the password expire for role and user.

Password policy parameter:

The maximum password policy introduces the following configuration commands.

Use no parameter of this command to disable.

Disabled

Introduced in OcNOS version 6.5.3.

Use this command to enable or disable the password expire for role.

Use no parameter of this command to disable.

Introduced in OcNOS version 6.5.3.

When a user’s password is updated, the on set depending on the user’s role. This is modified per user. Once the expiry is set, the system will automatically check for expired passwords. When a user logs in and cmlsh is invoked, for the admin user the user will be prompted to change the password. A non- admin user will receive a message to contact the admin to update the password.

If the user is expired and never update password or expiry for next 30 days, that user is removed from the database. All these features are enabled or disabled entirely with a CLI. When disabled, /etc/pam.d/common-password needs to be updated but not to use both pam_pwquality and pam_pwhistory modules.

The following glossary provides definitions for key terms or abbreviations and their meanings used throughout this document: