We help IT Professionals succeed at work.

Restrict how many times freeBSD asks for right password if someone gives wrong password.

Balbir Singh
Balbir Singh asked
on
During the keyboard based password authentication if we provide wrong password then freeBSD system ask for password 3 times before giving it up. Is there a way I can restrict it to just 1 ? Like if someone give wrong password then no login, no need to ask again. TIA
Comment
Watch Question

Principal Software Engineer
Commented:
According to the page below, it is relatively straightforward.  However, I suspect a reboot will be necessary after changing this.  There are some other policies, including "similar" which should probably also be changed in line with the example.

https://www.freebsd.org/doc/handbook/security-intro.html

"13.2.4. Password Policy Enforcement

Enforcing a strong password policy for local accounts is a fundamental aspect of system security. In FreeBSD, password length, password strength, and password complexity can be implemented using built-in Pluggable Authentication Modules (PAM).

This section demonstrates how to configure the minimum and maximum password length and the enforcement of mixed characters using the pam_passwdqc.so module. This module is enforced when a user changes their password.

To configure this module, become the superuser and uncomment the line containing pam_passwdqc.so in /etc/pam.d/passwd. Then, edit that line to match the password policy:

password  requisite  pam_passwdqc.so  min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users

Open in new window


This example sets several requirements for new passwords. The min setting controls the minimum password length. It has five values because this module defines five different types of passwords based on their complexity. Complexity is defined by the type of characters that must exist in a password, such as letters, numbers, symbols, and case. The types of passwords are described in pam_passwdqc(8). In this example, the first three types of passwords are disabled, meaning that passwords that meet those complexity requirements will not be accepted, regardless of their length. The 12 sets a minimum password policy of at least twelve characters, if the password also contains characters with three types of complexity. The 10 sets the password policy to also allow passwords of at least ten characters, if the password contains characters with four types of complexity.

The similar setting denies passwords that are similar to the user's previous password. The retry setting provides a user with three opportunities to enter a new password."
Balbir SinghSystem Administrator

Author

Commented:
Thanks a lot, it really helps me and I am able to restrict max authentication to just 1

now when someone is denied access just after 1st attempt then I get below message on the screen
Received disconnect from xx.xx.xx.xx port 22:2: Too many authentication failures
Disconnected from xx.xx.xx.xx port 22

Open in new window


Is there a way I can silence this message after after unsuccessful authentication?
Balbir SinghSystem Administrator

Author

Commented:
also is it possible to not mask what user is typing on the screen in the password prompt? like if password is 'secret' then in the terminal it should be visible while typing.

I know the security risk but just wanted to know if it is doable?