On Tue, 6 Feb 2001, Ben Collins wrote: > On Mon, Feb 05, 2001 at 07:01:07PM -0800, Paul Reiber wrote: > > If only we could apply this "protect the user from themselves" mentality > > to the "rm" program... > Enforcing a users password to be somewhat strong is protecting the > system as well as the user. The system admin could care less if a > *valid* user accidentally did "rm -rf ~/", but if your password is > suddenly guessable by a cracker, then I'm sure the system admin will be > very displeased. Precisely. 'rm -rf' is the user's concern; insecure passwords are a system concern. > FYI, there are ways to tone down the password strength checks. The most complete way to 'tone down' the password strength checks is to remove pam_cracklib from the config altogether. Previous versions of pam_cracklib were certainly buggy enough in their analysis of password strength that I've considered this justifiable. Some of those bugs, particularly the 'passwords are too similiar' problem, have been addressed in recent PAM releases. I'm not sure existing PAM modules are flexible enough that you can make pam_cracklib's strength checking 'informational' without inconveniencing the user. pam_pwdb and pam_unix support a 'use_authtok' option, which tells them to retrieve the new password token from the previous module, the alternative being to always prompt the user. The functionality you appear to want, Paul, lies somewhere in the middle. A 'user_is_always_right' option to pam_cracklib might be the easiest way to support this in Linux-PAM. Steve Langasek postmodern programmer
