Linux Fedora Core 2: Password, Login, and Pam
Tomas Mraz
tmraz at redhat.com
Sat Dec 4 10:48:14 UTC 2004
On Fri, 2004-12-03 at 14:47 -0600, Browder, Tom wrote:
> Can someone please tell me how, on FC 2 , to do the following:
>
> 1. Ensure a password meets minimum length and other quality
> restrictions.
Put the
password requisite pam_cracklib.so retry=5 minlen=8 dcredit=-1
ucredit=-1 ocredit=0 lcredit=-1
into /etc/pam.d/system-auth
> 2. Lockout an account for time X after three failed attempts.
This should be achievable using pam_tally.so but the functionality is
partly broken and also not much secure (even after lockout it can reveal
succesfull password break attempt to attacker).
> 3. Force a user to change a password after time Y.
man chage
> 4. Report all the above.
Reports should be in system log.
> The /etc/login.defs with password restrictions apparently doesn't work
> with PAM.
It doesn't, it's obsoleted.
> PAM documentation is very confusing to me--I see
> apparent dependencies, duplications, and overlaps between "services"
> and modules, and which takes precedence is not clear..
>
> For example, following the examples in the "Linux-PAM System
> Administrators' Guide" (latest I could find: version 0.76, Jun 2002)
> for the /etc/pam.d/passwd doesn't work for me. I set the following:
>
> password required pam_cracklib.so \
> dcredit=-1 ucredit=-1 ocredit=o lcredit=-1 minlen=8
>
> Nothing changes:
>
> As a user I try to change my password and it accepts 6 characters.
The problem is in FC using pam_stack module which changes things a
little bit so if you put this in /etc/pam.d/passwd it won't work as
expected.
--
Tomas Mraz <tmraz at redhat.com>
More information about the Pam-list
mailing list