On Thu, Jun 03, 2004 at 04:42:37PM +1200, William Brower wrote: > I got it working with the following: > > password required /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok > password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass > md5 shadow > password required /lib/security/$ISA/pam_deny.so Yes, that's a correct combination of settings and indeed it should work, but you should have also been able to get it working with the unmodified pam_unix line (with "use_authtok" on it) and no "ask_oldauthtok" option to pam_passwdqc. > I'll also think about the 'required' and 'sufficient' settings - unclear > to me right now. Red Hat could have used "required" for pam_unix as well and then not need the pam_deny line. > The AR25-2 regulation actually specifies that at least 2 characters from > each of the four character groups be used in a password at least 10 > characters long. I don't see an obvious way to enforce that with > passwdqc, You might be misreading the requirement in the regulation, although it is poorly worded and I am not entirely sure myself. Quoting your previous e-mail, -- | (2) The password will be a mix of uppercase letters, lowercase | letters, numbers, and special characters, including at least two of each | of the four types of characters (for example, x$TloTBn2!) and can be | user generated. Don't they require at least two of the four _types_ of characters, not at least two _characters_ of each type? The example password they give contains only one instance of a digit. > but I can get closer than before with this option: > > password required /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok > min=disabled,disabled,disabled,disabled,10 With the above correction, the most liberal setting which still satisfies the regulation is: min=disabled,10,10,10,10 But for practical use, I recommend something like: min=disabled,24,12,10,10 > Perhaps there is something I could do with the random=N option, but it > isn't obvious to me how large a bit-value to select to get the desired > enforcement. Ideas? The default at 42 bits is reasonable if your system uses a modern password hashing method. Please note that this option affects only machine-generated passwords; it is not an enforcement setting for user-chosen ones. -- Alexander _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list