Guidance using pam_passwdqc module and Army Regulation 25-2
William Brower
wbrower at ll.mit.edu
Thu Jun 3 04:42:37 UTC 2004
Alexander,
Thank you. I got it working with the following:
password required /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok
password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass
md5 shadow
password required /lib/security/$ISA/pam_deny.so
I'll study the use_first_pass and use_authtok options more carefully.
I'll also think about the 'required' and 'sufficient' settings - unclear
to me right now.
The AR25-2 regulation actually specifies that at least 2 characters from
each of the four character groups be used in a password at least 10
characters long. I don't see an obvious way to enforce that with
passwdqc, but I can get closer than before with this option:
password required /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok
min=disabled,disabled,disabled,disabled,10
Perhaps there is something I could do with the random=N option, but it
isn't obvious to me how large a bit-value to select to get the desired
enforcement. Ideas?
Thanks again!
Bill
> On Thu, Jun 03, 2004 at 01:03:03PM +1200, William Brower wrote:
>
>>I downloaded and installed the module - things went cleanly and the
>>module was installed in /lib/security/pam_passwdqc.so
>>
>>2) I tried modifying /etc/pam.d/system-auth to look like this
>>(I know there is a warning about file autogeneration, but frankly, the
>>/etc/pam.d/passwd file seems to direct all real action to this file -
>>should I just modify the /etc/pam.d/passwd file instead??)
>
>
> No, there's no need to modify other PAM config files and it is
> appropriate to modify /etc/pam.d/system-auth almost like you did.
>
>
>>OLD:
>>password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
>>password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
>>md5 shadow
>>password required /lib/security/$ISA/pam_deny.so
>>
>>NEW:
>>#password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
>>password required /lib/security/$ISA/pam_passwdqc.so
>
>
> You said the module installed under /lib/security/pam_passwdqc.so, --
> perhaps you need to remove the extra "/$ISA" from this line then?
>
>
>>password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass
>>md5 shadow
>
>
> Please revert the change you did to this line. It should have worked
> fine with "use_authtok".
>
>
>
--
William Brower
MIT Lincoln Laboratory
Reagan Test Site, Kwajalein, Marshall Islands
p: 805.355.1310
f: 805.355.1701
More information about the Pam-list
mailing list