[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_unix, cracklib, Makefiles


On Fri, Dec 17, 1999 at 08:31:03AM +0100, Thorsten Kukuk wrote:
> On Thu, Dec 16, Marcus Harnisch wrote:
> >  > The only thing I find very bad is, that pam_cracklib does not
> >  > read a config file. If I wish to change on option (for example
> >  > min length of a password), I need to grep through all config
> >  > files and make the necessary changes.
> > 
> > Hmm, this is IMHO a matter of personal taste. I could imagine that I
> > actually want a different configuration for different services which
> > couldn't be achieved easily by a global config file. Many other PAM
> > modules have to be configured without a config file, too.

I've always been voting against additional config files.
We already have enough config files in /etc/pam.d directory where all the
necessary information can be passed as arguments of modules.

> Yes, but I don't think a user should be allowed to use a weak password,
> because he logs in with rlogin when his password needs to be changed,
> and the user calling "passwd" has to choose a very good one. The
> configuration for changing the password should be the same for everybody.
> It's hard enough to find out which programs let the user change the
> password, in the moment I know of login, rlogin, OpenSSH and passwd.

It _must_ be easy.  Each program which has "password" section in its PAM config
file is potentially able to change password and no other program should be
able to do it.  Systems shouldn't allow to do authentication/password
changing stuff in a hidden way beside PAM, should they? :-)

Best regards
					Andrey V.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []