A password is a sequence of characters utilized to confirm a user's identity in the authentication procedure. A strong password helps to protect user accounts and prevents unauthorized access. Strong passwords are the first defense against cyberattacks. Hackers commonly use automated tools to crack passwords. Weak passwords are easily guessed or cracked. Every organization encourages its users to use long passwords combining alphanumeric and special characters. A lengthy password is more complex for hackers, who also need to invest a lot of time to hack the system.

OcNOS manages the user account and its password in its OcNOS configuration, then their password is reflected to LINUX standard user management db,/etc/passwd and /etc/shadow.

The password expiration settings in OcNOS and in the standard user management system in LINUX are not always identical. Since the operation of the OcNOS shell is not the same as that of standard shells like bash, similar mechanisms must be implemented in the OcNOS shell to enforce default password changes and set expiration dates.

Privileged Access Management (PAM) is a third party pluggable security tool that protects organizations from cyberthreats by overseeing, detecting, and thwarting unauthorized privileged access to vital resources.

To satisfy customer requirements, use pam_pwquality or pam_history, standard PAM modules in LINUX. These are more optimal than implementing a custom password-strength verification system within this system.

When a user sets a password in plain text, it is immediately hashed, and from then on, this hashed password is used for internal management to save settings. The plain text password is not stored anywhere. However, the verification of password strength through PAM is only possible with the plain text password, hence verification can only be conducted while the plain text password is available.

In OcNOS, an actual password change is not performed while the plain text password is held. When a 'commit' operation is executed, it is saved until 'write' operation is executed. However, since PAM cannot verify the strength of a password without setting it, OcNOS temporarily sets the password and while holdd the plain text password to check if the new password meets the password policy and can be changed. If it meets the policy and the password is changed, a process is necessary to revert to the original password.

PAM modules are configured in /etc/security/pwquality.conf and /etc/pam.d/common_password. This system internally holds default values based on customer requirements and sets them in these files at system startup. These files are updated if the corresponding configuration values are changed through the CLI and prompts user to update the default password.

To update these default passwords, check if the encrypted password calculated by its username and then prompt the user to update the password. Since the user ‘OcNOS’ shell is ‘cmlsh’ and the ‘root’ shell is ‘bash’, this code is developed independently. For the OcNOS user, it is implemented in cmlsh_start() in cmlsh_main. For the root user, it is done in /root/.bash

The OcNOS configuration triggers all user management or password updates including LINUX accounts.

The below configurations allow the user to authenticate the password policy.

Use the OcNOS interface to configure user accounts, such as creating, disabling passwords and maintain user accounts information.

The image illustrates a method for authenticating and authorizing user account passwords.

Before enabling the local authentication password-policy.

After enabling the local authentication password-policy.

 

BAD PASSWORD: The password contains less than 2 uppercase letters.

 

Password-policy logs.

Based on the above configuration set the password in the below format:

The configurable password policy introduces the following configuration commands.

None

None

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to disable.

None

The aaa local authentication password-policy is disabled under authentication password policy.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy numeric-count value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy uppercase-count value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy uppercase-count value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy special-count value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy maxsequence value is 5.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy maxrepeat value is 1.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy min-length value is 8.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy history value is 5.

Introduced in OcNOS version 6.5.1.

Use no parameter of this command to get the default value.

The aaa local authentication password-policy usercheck is enabled under authentication password-policy.

Introduced in OcNOS version 6.5.1.

The following glossary provides definitions for key terms or abbreviations and their meanings used throughout this document: