In the Password policies configuration, it's easy to create policy requiring a minimum number of different character types to meet complexity rules to meet your company's standards. It's not uncommon however to see a standard that requires 3 of the 4 character types (uppercase, lowercase, digits, special characters). To meet this standard, you can leverage the regex rules configuration.
The following rules will accomplish this:
pswadm regexp -a '^[A-Za-z0-9!@$%^&*()_=+;:~-]*$' -f EXT -f POS # Defines the acceptable characters for passwords
pswadm regexp -a '^[A-Za-z]*$' -f EXT # Rejects a password containing only upper and lower
pswadm regexp -a '^[A-Z0-9]*$' -f EXT # Rejects a password containing only upper and digit
pswadm regexp -a '^[A-Z!@$%^&*()_=+;:~-]*$' -f EXT # Rejects a password containing only upper and symbol
pswadm regexp -a '^[a-z0-9]*$' -f EXT # Rejects a password containing only lower and digit
pswadm regexp -a '^[a-z!@$%^&*()_=+;:~-]*$' -f EXT # Rejects a password containing only lower and symbol
pswadm regexp -a '^[0-9!@$%^&*()_=+;:~-]*$' -f EXT # Rejects a password containing only digit and symbol
So far I've sunk sixty hours into making a functional PoC, which installs and configures a properly running BoKS client. I would like to thank Mark Lambiase for offering me the chance to work on this project as a research consultant for FoxT. I'd also like to thank Ger Apeldoorn for his coaching and Ken Deschene for sparring with me.
I want to configure my alarm logs to email a specific set of users each time there are specific events that come through the BoKS system. I have set my alarm logs to capture the relevant events and I have configured my email server so that I am able to send the mail to the users from a command line interface. In the Domain Settings on the BoKS Control Center GUI, under Audit log configuration, Alarm log command: |/bin/mail -s "Alarm Logs" [email protected][email protected] etc. I am still not receiving any alarm logs through email. I am using postfix and have confirmed correct configuration of the smtp settings. Does anyone have any idea what I might be missing? Thanks.
Post by Thomas Sluyter on Feb 24, 2016 19:59:44 GMT
Well, good news I'm working with FoxT to build a proof-of-concept module for them!
Like you new2unix, I've first built an RPM file to install the BoKS client software. Now I've got a basic module up and running that installs the package, which puts a bcastaddr in place and which keeps the service running. It's certainly a start! I'll be working on improving the module over the next few weeks.
It's our full intention to share all this information with FoxT's customers, but it'll take a little while to prepare it all in a nicely legible form.
As a sneak preview that stuff is doing "stuff": [[email protected] ~]# /opt/boksm/sbin/boksadm -S Boot -k
Okay so since my last post I have been doing a little bit of research on the possibility of installing BoKS with Puppet... Does not seem like this is going to be a trivial task at all unfortunately. I am trying to create an RPM package right now for the BoKS install and keep tripping over links and pathing issues. Rather frustrating!!!
Post by Thomas Sluyter on Jan 20, 2016 18:55:52 GMT
You are absolutely correct Pawel, that this is only the very first step to proper integration between BoKS and Yubikey. It was more a proof of concept.
Without saying too much on these forums, you are best served asking your FoxT representative about their plans with regards to authenticators (third party and otherwise). What we're used to from v6.x and before is going to change for the better.
Hi Thomas, good work, however it's not a true integration, you miss a lot of functionality of BoKS sshd (as mentioned). Just wonder, BoKS does well with SecurId. What protocol does BoKS use for this communication? I would like to see more user-friendly interface in BoKS like client to Radius service, where you can do all MFA stuff and not to face MFA vendor lock-in.