password complexity

[Stuart Sears]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John O'Loughlin wrote:
> 
> Dear All
> 
> Does anyone know how to set up password complexity rules? I'm fairly
> sure there has to be some /etc/pam.d/system-auth settings for this, I
> can't find any examples.
/usr/share/doc/pam-0.*/html/index.html
/usr/share/doc/pam_passwdqc-*/README

basically you have 2 choices - standard pam_cracklib (which takes a
length arg and optional extra credit scores)
pam_passwdqc which nis more complicated.

read the

> 
> Also, is NIS pam aware? If a user runs yppasswd will the pam settings
> apply?
Nis does not need to be PAM-aware - the local passwd command is.
In fact technically just 'passwd' should be enough... (as long as the
'nis' argmuent is passed to pam_unix. This also makes things uniform -
all users just use the passwd command, whether they are nis users or not.
As for yppasswdd , dunno. It doesn't use PAM AFAIK
the three pam lines you should have will be something like (simplified!)

password requisite ...pamcracklib.so args...
password sufficient pam_unix.so ... nis
password required pam_deny.so

so password strengths are checked *before* the NIS service and the whole
'password' group exits if the pass is not good enough.


regards

Stuart
- --
Stuart Sears RHCA RHCX
To err is human, to forgive is Not Company Policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEbajoamPtx1brPQ4RAranAJ48tZ5yUeblYhEo2bqkgdQ8pEZ8ngCfS19q
195yYYkzVOYKuCOKmslCkKo=
=oKZU
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.