FW: pam_passwdqc

Can someone explain the min= n0,N1,N2,N3,N4 parameters of pam_passwdqc?
I set them to be
pam_passwdqc min=disabled,24,24,8,8 passphrase=0 and expected that to be
interpreted as:
passwords cannot be only 1 class,
passphrases or not to be used,
if 2 classes are used they must be 24 characters,
if 3 classes are used they must be 8 characters
if 4 classes are used they must be 8 characters.

When I test it, it allows me to use a password like "abcdefgh".

How are these Nn parameters used?

Thanks,
David
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

RE: pam_passwdqc

For anyone interested, the solution seems to be that this module has to
Be the first module checked in the passwd authentication stack. Then it
seems to work, but I need to test further.


..Can someone explain the min= n0,N1,N2,N3,N4 parameters of pam_passwdqc?
..I set them to be
..pam_passwdqc min=disabled,24,24,8,8 passphrase=0 and expected that to
be
..
..passwords cannot be only 1 class,
..passphrases or not to be used,
..if 2 classes are used they must be 24 characters,
..if 3 classes are used they must be 8 characters
..if 4 classes are used they must be 8 characters.

..When I test it, it allows me to use a password like "abcdefgh".

..How are these Nn parameters used?

..Thanks,
..David

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

RE: pam_passwdqc

Kirkwood, David A. wrote:

> For anyone interested, the solution seems to be that this module has to
> Be the first module checked in the passwd authentication stack. Then it
> seems to work, but I need to test further.

Password "QC" modules (e.g. pam_cracklib) normally go in the
"password" stack (used when setting/changing a password) rather than
the "auth" stack (used for authentication).

I have no experience with pam_passwdqc (I don't have it on my system),
so I can't answer the original question.

--
Glynn Clements
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

RE: pam_passwdqc

Glynn,

I should have been more specific. RHEL chooses to use the existence of
pam.d rather than pam.conf for configuration of the security modules.
Within this directory, there is a text file, system-auth that has a
structure as follows:
auth required /lib/security/$ISA/pam_env.so
more auths related requires, requisites, etc

account required /lib/security/$ISA/pam-unix.so
more account related requires, requisites, etc

password requisite /lib/security/$ISA/pam-cracklib.so
password sufficient /lib/security/$ISA/pam-unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam-eny.so

session required /lib/security/$ISA/pam_limits.so
more session related requires, requisites, etc

Then, for the various services such as passwd, sshd, etc they use
pam_stack.so as, in the case of paasswd;

auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth

to call the appropriate security module.

As is turns out, pam_passwdqc must be the first module called in the
password module stack to work properly. I originallyhad it under
pam-cracklib.so and it didn't work. Moving it before the cracklib module
corrected the problem.


Kirkwood, David A. wrote:

> For anyone interested, the solution seems to be that this module has
to
> Be the first module checked in the passwd authentication stack. Then
it
> seems to work, but I need to test further.

Password "QC" modules (e.g. pam_cracklib) normally go in the
"password" stack (used when setting/changing a password) rather than
the "auth" stack (used for authentication).

I have no experience with pam_passwdqc (I don't have it on my system),
so I can't answer the original question.

--
Glynn Clements
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html