In April, I released
version 1.2.0 of passwdqc. This version
specifically improves support for OpenBSD, allowing for the pwqcheck program to
be specified in OpenBSD's
/etc/login.conf and invoked by the
passwd(1) program. Previously, this was only supported via
"unofficial" rework of older pam_passwdqc code by Damien Miller (djm@).
Now it became official - immediately providing all improvements found in
current and future versions of passwdqc (since OpenBSD support is to stay).
Some recent improvements include fine-tuning of the checks on thousands of
real-world cracked vs. presumed-strong passwords, support for 8-bit characters
in passphrase words, and extra entropy encoded into randomly-generated
passphrases. Not so recent improvements include separation of the
"core" code into libpasswdqc, introduction of command-line programs
(usable from scripts and now also by OpenBSD) and extra options to them, and
making the PAM module optional (indeed, it's not built on OpenBSD, but is
useful to have the same password policy elsewhere).
Long story short, to enable passwdqc on OpenBSD, build and install
it, then insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\"
into the "default" section in /etc/login.conf. This will use
passwdqc's default policy, which may be adjusted with additional command-line
options (there's a man page documenting those).
Unfortunately, as of OpenBSD 4.6, there's no way to actually enforce the
policy. If one enters a non-compliant password (or different ones) multiple
times, passwd(1) will eventually give up and permit any password to be set.
Hopefully, this shortcoming will get addressed in a later version.