[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: 8 char max passwd size under RH5.2



OK. Here's what I did on RedHat 5.2:

# cat /etc/pam.d/login
passwd	/lib/security/pam_cracklib.so	minlen=13 retry=3
passwd	/lib/security/pam_pwdb.so	shadow use_authtok md5
<other stuff deleted>
#

Now, the key is the minlen param on cracklib. Reading the docs,
minlen is the minimum acceptable password length +1 (so in this
case it is 14). However the docs go on to talk about *credit, in
short:

dcredit=n, max credit for having digits in password. default n=1
ucredit=n, max credit for having upper case letters in password, 
		default n=1
lcredit=n, max credit for having lower case letters in password,
		default n=1
ocredit=n, max credit for haveing other (non alph-numeric) chars
		in password, default n=1

So, if you have a password which contains lowercase, uppercase, numeric,
and other then by setting minlen=10, your minimum length pw is 10.

I tried it and it works. Check it out.

Scott

Reid Sutherland wrote:
> 
> Background info: Test machine, Rh5.2 with Linux 2.2.1, running stock (RH
> install) version of PAM.
> 
> I tried using bigcrypt() instead of crypt() and my passwords still only come
> up as 8 chars. I'm obviously doing something wrong, now the only reason I'm
> not using MD5 is because I do not want to reenter all the passwords and
> rebuild the whole bloody system :)
> 
> Any suggestions on stuff to look for as to why bigcrypt is not working.
> I modified the following in the /etc/pam.d
> passwd, login, su to reflect the new encryption type. Then I did a passwd on
> my username change it to an extended (10 char) password and tried to login.
> I only enter the first 8 chars and still got the same thing as I would get
> with crypt.
> 
> Reid Sutherland
> Network Administrator
> ISYS Technology Inc.
> http://www.isys.ca
> Fingerprint: 1683 001F A573 B6DF A074  0C96 DBE0 A070 28BE EEA5
> 
> -----Original Message-----
> From: Andrew Phillips <atp@mssl.ucl.ac.uk>
> To: pam-list@redhat.com <pam-list@redhat.com>
> Date: Tuesday, February 23, 1999 10:09 AM
> Subject: Re: 8 char max passwd size under RH5.2
> 
> >Hi,
> >
> >> How do you change the maximum passwd lengh to something higher then 8?
> >
> > This is a limit of the crypt() algorithm.
> >    8 characters at 7 bits/character = 56bits. This is the length of
> >    the standard DES key.
> >    If you want passwords longer than 8 characters, you will need
> >    to use a different algorithm. Ones that I know PAM supports are
> >
> > MD5 - used on *BSD for example
> > bigcrypt - used as part of Digital Enhanced Security.
> >
> >    bigcrypt() is backwards compatible with crypt(), in that in the case
> >    of 8 character or less passwords, the resulting encrypted password is
> >    identical to that returned by crypt(). Longer than 8 characters lead
> >    to extension blocks.
> >
> > To enable bigcrypt, add the flag "bigcrypt" to your pam.d files.
> >e.g.
> >/etc/pam.d/login
> >#%PAM-1.0
> >auth       required     /lib/security/pam_securetty.so
> >auth       required     /lib/security/pam_pwdb.so bigcrypt nullok
> >auth       required     /lib/security/pam_nologin.so
> >account    required     /lib/security/pam_pwdb.so
> >password   required     /lib/security/pam_cracklib.so
> >password   required     /lib/security/pam_pwdb.so bigcrypt nullok
> use_authtok
> >session    required     /lib/security/pam_pwdb.so
> >
> > Notes:
> > 1) This has been in place since at least RedHat 5.1
> > 2) This was developed expressly for interworking Digital UNIX
> >    and RedHat linux. There may be bugs when using it "standalone"
> >    If so - please contact me and I'll try and fix them.
> > 3) If you are unsure about this, use MD5.
> > 4) If you use SAMBA watch out for long passwords and samba 1.9.18,
> >    we have had problems, as samba seems to chop passwords off
> >    at about 14 characters. Windows users can log in via telnet but
> >    cannot connect to shares using "user level" security.
> >
> > Andy
> >
> >--
> >atp@nojunk-mssl.ucl.ac.uk             |        Dr. Andy Phillips
> >phillips@nojnk-isass1.solar.isas.ac.jp| Mullard Space Science Laboratory
> >a.phillips@nojunk-ucl.ac.uk           | "It's the late 1990s, This is a
> spam
> >atp@nojunk-coralcay.demon.co.uk       | protected .sig. You know what to
> do"
> >
> >--
> >To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null
> >
> 
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []