Guidance using pam_passwdqc module and Army Regulation 25-2
Solar Designer
solar at openwall.com
Thu Jun 3 15:33:28 UTC 2004
On Thu, Jun 03, 2004 at 04:42:37PM +1200, William Brower wrote:
> I got it working with the following:
>
> password required /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass
> md5 shadow
> password required /lib/security/$ISA/pam_deny.so
Yes, that's a correct combination of settings and indeed it should
work, but you should have also been able to get it working with the
unmodified pam_unix line (with "use_authtok" on it) and no
"ask_oldauthtok" option to pam_passwdqc.
> I'll also think about the 'required' and 'sufficient' settings - unclear
> to me right now.
Red Hat could have used "required" for pam_unix as well and then not
need the pam_deny line.
> The AR25-2 regulation actually specifies that at least 2 characters from
> each of the four character groups be used in a password at least 10
> characters long. I don't see an obvious way to enforce that with
> passwdqc,
You might be misreading the requirement in the regulation, although it
is poorly worded and I am not entirely sure myself.
Quoting your previous e-mail, --
| (2) The password will be a mix of uppercase letters, lowercase
| letters, numbers, and special characters, including at least two of each
| of the four types of characters (for example, x$TloTBn2!) and can be
| user generated.
Don't they require at least two of the four _types_ of characters, not
at least two _characters_ of each type? The example password they
give contains only one instance of a digit.
> but I can get closer than before with this option:
>
> password required /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok
> min=disabled,disabled,disabled,disabled,10
With the above correction, the most liberal setting which still
satisfies the regulation is:
min=disabled,10,10,10,10
But for practical use, I recommend something like:
min=disabled,24,12,10,10
> Perhaps there is something I could do with the random=N option, but it
> isn't obvious to me how large a bit-value to select to get the desired
> enforcement. Ideas?
The default at 42 bits is reasonable if your system uses a modern
password hashing method. Please note that this option affects only
machine-generated passwords; it is not an enforcement setting for
user-chosen ones.
--
Alexander
More information about the Pam-list
mailing list