Guidance using pam_passwdqc module and Army Regulation 25-2

Solar Designer solar at openwall.com
Thu Jun 3 01:23:17 UTC 2004


On Thu, Jun 03, 2004 at 01:03:03PM +1200, William Brower wrote:
> I downloaded and installed the module - things went cleanly and the 
> module was installed in /lib/security/pam_passwdqc.so
> 
> 2) I tried modifying /etc/pam.d/system-auth to look like this
> (I know there is a warning about file autogeneration, but frankly, the 
> /etc/pam.d/passwd file seems to direct all real action to this file - 
> should I just modify the /etc/pam.d/passwd file instead??)

No, there's no need to modify other PAM config files and it is
appropriate to modify /etc/pam.d/system-auth almost like you did.

> OLD:
> password  required   /lib/security/$ISA/pam_cracklib.so retry=3 type=
> password  sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok 
> md5 shadow
> password  required   /lib/security/$ISA/pam_deny.so
> 
> NEW:
> #password required   /lib/security/$ISA/pam_cracklib.so retry=3 type=
> password required   /lib/security/$ISA/pam_passwdqc.so

You said the module installed under /lib/security/pam_passwdqc.so, --
perhaps you need to remove the extra "/$ISA" from this line then?

> password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass 
> md5 shadow

Please revert the change you did to this line.  It should have worked
fine with "use_authtok".

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments





More information about the Pam-list mailing list