On Fri, 2004-12-03 at 14:47 -0600, Browder, Tom wrote: > Can someone please tell me how, on FC 2 , to do the following: > > 1. Ensure a password meets minimum length and other quality > restrictions. Put the password requisite pam_cracklib.so retry=5 minlen=8 dcredit=-1 ucredit=-1 ocredit=0 lcredit=-1 into /etc/pam.d/system-auth > 2. Lockout an account for time X after three failed attempts. This should be achievable using pam_tally.so but the functionality is partly broken and also not much secure (even after lockout it can reveal succesfull password break attempt to attacker). > 3. Force a user to change a password after time Y. man chage > 4. Report all the above. Reports should be in system log. > The /etc/login.defs with password restrictions apparently doesn't work > with PAM. It doesn't, it's obsoleted. > PAM documentation is very confusing to me--I see > apparent dependencies, duplications, and overlaps between "services" > and modules, and which takes precedence is not clear.. > > For example, following the examples in the "Linux-PAM System > Administrators' Guide" (latest I could find: version 0.76, Jun 2002) > for the /etc/pam.d/passwd doesn't work for me. I set the following: > > password required pam_cracklib.so \ > dcredit=-1 ucredit=-1 ocredit=o lcredit=-1 minlen=8 > > Nothing changes: > > As a user I try to change my password and it accepts 6 characters. The problem is in FC using pam_stack module which changes things a little bit so if you put this in /etc/pam.d/passwd it won't work as expected. -- Tomas Mraz <tmraz@xxxxxxxxxx> _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
