> On Tue, Jul 02, 2002 at 02:45:19PM +1000, John Warburton wrote: > > > > Hmm - good work Sun. > > > > Looks like I will have to go back to cracklib for want of anything else. > > sigh. > Why does that help? Are you able to get cracklib to verify passwords > changed through sshd or telnetd? How, if the password management PAM > stack is broken in that respect? Ah, sorry - I forgot to mention this. We have a brilliant C coder who hacked an *old* version of Linux pam_cracklib to work around both Solaris 8 PAM stacking and SSH issues. Unfortunately this is not feasible to maintain in the long term, and why I was hoping to use passwdqc. The AusCERT UNIX security checklist mentions the use of anlpasswd or other similar /bin/passwd replacements. Unfortunately, not all password changing is performed through /bin/passwd (eg password expiry), so these applications are not acceptable. Only PAM based code will work. > Is Solaris 9 not an option for you? Unfortunately not - our vendors are yet to verify their apps with Solaris 9 at the moment. Did Gary Winiger from Sun mention whether the fixes applied to Solaris 9 are to be back ported to previous releases? Just as an aside - the PAM code in OpenSSH 3.4 has seriously stopped password expiration working at all on Solaris 8. Regards John
