[KLUG Members] PAM and password limit

[Adam Tauno Williams]

> I am trying to rein the beast call PAM to control password selection by
> user. However, so far I am not succeeding. I want users to use at least
> password greater than eight characters. Below is the file system-auth which
> is calls by passwd in Fedora core3. What changes I need to make to achieve
> password control.
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> #auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        required      /lib/security/$ISA/pam_deny.so

Your sure that the pam_unix line is commented out?  This seems very
wrong.  This looks like it will deny every authorization attempt.

> account     required      /lib/security/$ISA/pam_unix.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet

This is stock Fedora?  'cause the above line is wierd.  Don't process
pam_permit if uid is less than 100?  Eh?

> account     required      /lib/security/$ISA/pam_permit.so
> password    required    /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8

Okay, this seams reasonable.  But you realize this only applies to
password CHANGES?  And I think pam_cracklib is obsoleted by pam_pwcheck.

> #password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow
> #password    required      /lib/security/$ISA/pam_deny.so
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20050306/9f447c86/attachment.bin