pam_cracklib password history
wayne yu
zwyu1 at yahoo.com
Fri Mar 30 15:05:14 UTC 2007
Hi:
How can I unsubscribe to the pam list?
Thanks
--- Scott Ruckh <sruckh at gemneye.org> wrote:
> lists at trcintl.com wrote:
> > I have been attempting to enable pam_cracklib to
> check a password in a password history file with no
> luck. No matter what I seem to try, nothing is ever
> added to the opasswd file. I have tried this on
> several stations with no luck so I must be missing
> something. I have been following the documentation
> a the following URL:
> > www.deer-run.com/~hal/sysadmin/pam_cracklib.html
> >
> > The problem is I can't seem to get it to work.
> So, I loaded up a test machine from scratch using
> RHEL 4.4 with all updates as of 3-14-07. I then did
> the following:
> >
> > 1.) touch /etc/security/opasswd {creates the
> necessary old password file}
> > 2.) chown root:root /etc/security/opasswd
> > 3.) chmod 600 /etc/security/opasswd
> > Note I have opened the permissions up on this file
> for testing with no more luck.
> > 4.) I modified the system-auth file which I'm
> pretty sure is the file this flavor of Linux uses
> with the following line:
> > password sufficient
> /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow remember=12
> >
> >
> > Here is the entire file. The only thing changed
> from the default file is the line above. I simply
> added remember=12 to it.
> >
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time
> authconfig is run.
> > auth required
> /lib/security/$ISA/pam_env.so
> > auth sufficient
> /lib/security/$ISA/pam_unix.so likeauth nullok
> > auth required
> /lib/security/$ISA/pam_deny.so
> >
> > account required
> /lib/security/$ISA/pam_unix.so
> > account sufficient
> /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> > account required
> /lib/security/$ISA/pam_permit.so
> >
> > password requisite
> /lib/security/$ISA/pam_cracklib.so retry=3
> > password sufficient
> /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow remember=12
> > password required
> /lib/security/$ISA/pam_deny.so
> >
> > session required
> /lib/security/$ISA/pam_limits.so
> > session required
> /lib/security/$ISA/pam_unix.so
> >
> > If I change the line above from sufficient to
> required as in the example on the site referenced
> above such as follows:
> > password sufficient
> /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow remember=12
> >
> > I then get the error:
> > passwd: Authentication token manipulation error
> > {This tells me I must be editing the correct file}
> >
> > What do I need to do to create the password
> history file using pam_cracklib?
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
> >
> >
> Kyle, I believe you need to add your 'remember=12'
> flag to the account
> section and not where you have it now (in the
> password section).
>
> I don not believe this section from the Linux Pam
> Administrators' Guide
> is very clear.
>
> The account component performs the task of
> establishing the status of
> the user's account and password based on the
> following shadow elements:
> expire, last_change, max_change, min_change,
> warn_change. In the case of
> the latter, it may offer advice to the user on
> changing their password
> or, through the PAM_AUTHTOKEN_REQD return, delay
> giving service to the
> user until they have established a new password. The
> entries listed
> above are documented in the shadow(5) manual page.
> Should the user's
> record not contain one or more of these entries, the
> corresponding
> shadow check is not performed.
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
____________________________________________________________________________________
Don't get soaked. Take a quick peek at the forecast
with the Yahoo! Search weather shortcut.
http://tools.search.yahoo.com/shortcuts/#loc_weather
More information about the Pam-list
mailing list