how can I find current instructions for configuring the password policy?
specifically, a list of what can be configured, and the options for the items in that list.
official docs suggest that one can do this from the GUI, but those docs were updated in 2018, and take you to selections that don’t exist.
official docs (more current) also take you to the pwpolicy.conf file, which shows you how to inspect passwords for content (not exactly a policy, but more of a filter). pwpolicy.conf is completely commented out anyway, so a new install is unprotected.
google has been my best friend, and helped me find these to tuck into pwpolicy.conf:
minlen=nn
password_expiration = nn
neither of these appear in the sample config file, and, given that they don’t have the same format (abbreviations vs. underscores, no spaces vs. spaces) I don’t trust that each of these is accurate or for the current product.
can someone please point me to proper instructions (NOT the sample file) for configuring a password policy?
GSA version: 24.6.1
OS: Kali 2025.1 (kali-rolling)
re:
“you probably need to use ldap authentication for users.”
beyond a DNS entry for the Hyper-V server it runs on, my scanner is never part of my domain
re:
“Which docs weren’t updated since 2018?”
The first place I go to is Google (sorry, but I’m kind of normal.) The prompt in my search history was: greenbone community edition password policy. Google’s “ai” provides “/etc/gvm/pwpolicy.conf”; the link of the “ai” source - today that is, not last week - is now to: Kali Linux Install Guide - Greenbone Community Documentation. Given this, it seems my/our activity on this topic has updated Google a bit to a fresher link (no longer 2018). So, this issue is self-resolved, but the source document still does not address what I am searching for.
re:
“The format is documented in the file itself”
Therein lies the problem. This is not a password policy, but a password filter (as in: don’t allow “qwerty”). What I’m looking for is more like:
Enforce password history 5 passwords remembered
Maximum password age 90 days
Minimum password age 7 days
Minimum password length 12 characters (which could be addressed by “/^.{12,}$/” (probably, if I research “Perl compatible regular expressions” as noted in the .conf file)
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
I apologize for the very M$ blinders that I wear, but again, I’m kind of normal.
I have located HINTS on the Internet that GSA can do more than I see published in github or the .conf file, such as the minlen=nn and password_expiration = nn that I noted previously. The info my searches return is old and inconsistent. I’m just hoping to find the real list of the current policy options from a reputable source.
If password_expiration = nn is all we’ve got, that’s fine. I just want to be assured that a) I’m using it correctly, and b) I’m not missing something.
Keepin’ it real here: small organization, less overhead = better. I’m the only one who logs in, VM is on my LAN behind a good firewall. Just looking for documentation on a feature that the Internet already knows exists/existed.
I only troubleshoot a failed Kali+Greenbone VM for about a day then throw the entire VM in the trash and start over (it’s amazingly more efficient.) There just hasn’t been time to patch a fresh installation by installing and maintaining more stuff like ldap.
Radius on Ubuntu with 2FA does sound tasty…but for now, if “password_expiration = nn” is all we’ve got, that’s fine: the Kali OS underneath with probably break within a year anyway. I just don’t find a mention of “password_expiration = nn” in anything official, and am concerned that this code snippet off the Internet might fire a nuclear missile or something.
“If there’s nothing better to do, problems can always be invented; Put an Nginx reverse proxy in front and use TLS authentication or a 64-character password.”