pam_passwdqc could emulate aix ?

Solar Designer solar at openwall.com
Wed Oct 10 20:23:36 UTC 2007 

Jorge,

On Wed, Oct 10, 2007 at 11:24:47AM -0500, jorge gmail wrote:
> does passwdqc or pam_cracklib  have a per_user flag, like pam_tally ?

No.

> I want to have several user profiles (  general,  dbase,  customer ), etc.
> each profile with   his own 
> 
> rules ( maxlen,  minother, etc )   
...

This is a reasonable request.

I think that you can "emulate" this behavior by setting up several
/etc/pam.d/passwd* files with different suffixes (e.g., "passwd",
"passwd-dbase", "passwd-customer"), then have people from the
respective "groups" invoke the passwd program from SimplePAMApps as
follows:

	passwd
	passwd -N -dbase
	passwd -N -customer

You can make this transparent with a wrapper script that would use e.g.
the primary group name for the -N option parameter.

In order to prevent abuse (running passwd directly with -N set for
another group), you'd use pam_wheel group=... or pam_listfile within the
/etc/pam.d/passwd* files.

Of course, this approach has a number of limitations/drawbacks:

- It only works for the passwd command, not for any password changes
forced upon login - those will always be processed with settings from
the /etc/pam.d/* files corresponding to the login service.

- Only a few Linux distros use SimplePAMApps (with their own patches as
this package is no longer maintained upstream) - Openwall GNU/*/Linux
(Owl) and distros by ALT Linux team do.

- It's a bit of a hack.

It feels like Linux-PAM should have built-in functionality to combine
modules in arbitrary ways, e.g. have an "include-if" directive.  Then
you could use pam_wheel or pam_listfile along with pam_passwdqc without
having to have any special functionality in the passwd program.

Finally, if your company is willing to pay for the effort, we may
implement your desired functionality right into pam_passwdqc.  Please
contact me off-list if interested.

Thanks,

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

More information about the Pam-list mailing list