pam_passwdqc could emulate aix ?
Solar Designer
solar at openwall.com
Wed Oct 10 20:23:36 UTC 2007
Jorge,
On Wed, Oct 10, 2007 at 11:24:47AM -0500, jorge gmail wrote:
> does passwdqc or pam_cracklib have a per_user flag, like pam_tally ?
No.
> I want to have several user profiles ( general, dbase, customer ), etc.
> each profile with his own
>
> rules ( maxlen, minother, etc )
...
This is a reasonable request.
I think that you can "emulate" this behavior by setting up several
/etc/pam.d/passwd* files with different suffixes (e.g., "passwd",
"passwd-dbase", "passwd-customer"), then have people from the
respective "groups" invoke the passwd program from SimplePAMApps as
follows:
passwd
passwd -N -dbase
passwd -N -customer
You can make this transparent with a wrapper script that would use e.g.
the primary group name for the -N option parameter.
In order to prevent abuse (running passwd directly with -N set for
another group), you'd use pam_wheel group=... or pam_listfile within the
/etc/pam.d/passwd* files.
Of course, this approach has a number of limitations/drawbacks:
- It only works for the passwd command, not for any password changes
forced upon login - those will always be processed with settings from
the /etc/pam.d/* files corresponding to the login service.
- Only a few Linux distros use SimplePAMApps (with their own patches as
this package is no longer maintained upstream) - Openwall GNU/*/Linux
(Owl) and distros by ALT Linux team do.
- It's a bit of a hack.
It feels like Linux-PAM should have built-in functionality to combine
modules in arbitrary ways, e.g. have an "include-if" directive. Then
you could use pam_wheel or pam_listfile along with pam_passwdqc without
having to have any special functionality in the passwd program.
Finally, if your company is willing to pay for the effort, we may
implement your desired functionality right into pam_passwdqc. Please
contact me off-list if interested.
Thanks,
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments
Was I helpful? Please give your feedback here: http://rate.affero.net/solar
More information about the Pam-list
mailing list