[KLUG Members] PAM and password limit
Adam Tauno Williams
awilliam at whitemice.org
Sun Mar 6 13:15:00 EST 2005
> I am trying to rein the beast call PAM to control password selection by
> user. However, so far I am not succeeding. I want users to use at least
> password greater than eight characters. Below is the file system-auth which
> is calls by passwd in Fedora core3. What changes I need to make to achieve
> password control.
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> #auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth required /lib/security/$ISA/pam_deny.so
Your sure that the pam_unix line is commented out? This seems very
wrong. This looks like it will deny every authorization attempt.
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
This is stock Fedora? 'cause the above line is wierd. Don't process
pam_permit if uid is less than 100? Eh?
> account required /lib/security/$ISA/pam_permit.so
> password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8
Okay, this seams reasonable. But you realize this only applies to
password CHANGES? And I think pam_cracklib is obsoleted by pam_pwcheck.
> #password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow
> #password required /lib/security/$ISA/pam_deny.so
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20050306/9f447c86/attachment.bin
More information about the Members
mailing list