Re: Guidance using pam_passwdqc module and Army Regulation 25-2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alexander,

Thank you. I got it working with the following:

password required /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok
password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass md5 shadow
password required /lib/security/$ISA/pam_deny.so

I'll study the use_first_pass and use_authtok options more carefully. I'll also think about the 'required' and 'sufficient' settings - unclear to me right now.

The AR25-2 regulation actually specifies that at least 2 characters from each of the four character groups be used in a password at least 10 characters long. I don't see an obvious way to enforce that with passwdqc, but I can get closer than before with this option:

password required /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok min=disabled,disabled,disabled,disabled,10

Perhaps there is something I could do with the random=N option, but it isn't obvious to me how large a bit-value to select to get the desired enforcement. Ideas?

Thanks again!
Bill


On Thu, Jun 03, 2004 at 01:03:03PM +1200, William Brower wrote:

I downloaded and installed the module - things went cleanly and the module was installed in /lib/security/pam_passwdqc.so

2) I tried modifying /etc/pam.d/system-auth to look like this
(I know there is a warning about file autogeneration, but frankly, the /etc/pam.d/passwd file seems to direct all real action to this file - should I just modify the /etc/pam.d/passwd file instead??) 


No, there's no need to modify other PAM config files and it is
appropriate to modify /etc/pam.d/system-auth almost like you did.


OLD:
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

NEW:
#password required   /lib/security/$ISA/pam_cracklib.so retry=3 type=
password required   /lib/security/$ISA/pam_passwdqc.so



You said the module installed under /lib/security/pam_passwdqc.so, --
perhaps you need to remove the extra "/$ISA" from this line then?


password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass md5 shadow 


Please revert the change you did to this line.  It should have worked
fine with "use_authtok".



--
William Brower
MIT Lincoln Laboratory
Reagan Test Site, Kwajalein, Marshall Islands
p: 805.355.1310
f: 805.355.1701


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux