On Thu, Jul 04, 2002 at 03:55:07PM +1000, John Warburton wrote: > > > Hmm - good work Sun. > > > > > > Looks like I will have to go back to cracklib for want of anything > else. > > > sigh. > > > Why does that help? Are you able to get cracklib to verify passwords > > changed through sshd or telnetd? How, if the password management PAM > > stack is broken in that respect? > Ah, sorry - I forgot to mention this. We have a brilliant C coder who > hacked an *old* version of Linux pam_cracklib to work around both Solaris 8 > PAM stacking and SSH issues. Unfortunately this is not feasible to maintain > in the long term, and why I was hoping to use passwdqc. Well, if you share this pam_cracklib hack with me, I will very likely be able to hack pam_passwdqc for you accordingly. > > Is Solaris 9 not an option for you? > Unfortunately not - our vendors are yet to verify their apps with Solaris 9 > at the moment. > > Did Gary Winiger from Sun mention whether the fixes applied to Solaris 9 > are to be back ported to previous releases? No, he didn't. But you may ask. > Just as an aside - the PAM code in OpenSSH 3.4 has seriously stopped > password expiration working at all on Solaris 8. Not just on Solaris 8. This code is simply #if 0'ed out, on all platforms, and there're certain reasons (including security) why this is so. I am trying to solve that for at least the non-privsep case, for the Owl package and hopefully for the rest of the world as well. ;-) And it's not password expiration but rather the ability to change expired passwords which is now disabled. Password expiration works. -- /sd
