Home | Content | Search | Navigation | Indexes
 

Mailinglist Archive: opensuse-autoinstall (29 mails)

< Previous Next >
Re: [opensuse-autoinstall] complex password
  • From: Jiří Suchomel <jsuchome@xxxxxxx>
  • Date: Mon, 16 Jun 2008 15:41:45 +0200
  • Message-id: <200806161541.46207.jsuchome@xxxxxxx>
On čt 12. června 2008, Justin Lim wrote:
Hello,

I am trying to setup some complex password settings and is having some
problems with both SLES9 and SLES10.

In my autoyast template I have the following <security> section
    <security>
        <console_shutdown>ignore</console_shutdown>
        <cwd_in_root_path>no</cwd_in_root_path>
        <fail_delay>5</fail_delay>
        <faillog_enab>yes</faillog_enab>
        <lastlog_enab>yes</lastlog_enab>
        <encryption>blowfish</encryption>
        <pass_max_days>60</pass_max_days>
        <pass_min_days>0</pass_min_days>
        <pass_warn_age>10</pass_warn_age>
        <pass_max_len>20</pass_max_len>
        <pass_min_len>10</pass_min_len>
        <passwd_use_cracklib>yes</passwd_use_cracklib>
        <permission_security>secure</permission_security>
    </security>

This would generate /etc/security/pam_pwcheck.conf to be
Password:           minlen=20 cracklib blowfish nullok

And also in /etc/login.defs sets
PASS_MAX_DAYS   60
PASS_MIN_DAYS   0
PASS_WARN_AGE   10

However when setting up complex passwords using the xlimits on
/etc/pam.d/passwd ie
more /etc/pam.d/passwd
#%PAM-1.0
auth required   pam_unix2.so    nullok
account required        pam_unix2.so
password required       pam_pwcheck.so
password required       pam_cracklib.so use_first_pass use_authtok
no_obscure_checks retry=3 minlen=11 difok=-1 dcredit=-1 ucredit=-
1
password required       pam_pwcheck.so  use_authtok remember=12
password required       pam_unix2.so    nullok use_first_pass  use_authtok
session required        pam_unix2.so

having the /etc/security/pam_pwcheck.conf as above will break it.  So
/etc/security/pam_pwcheck.conf would have to be changed to the following
Password:           blowfish nullok

I'm not sure if I understand: do you really only need to have
final /etc/security/pam_pwcheck.conf as written just above?

So why do you want to set minlen and cracklib to yes in security section?

Jiri

--
Jiri Suchomel

SUSE LINUX, s.r.o. e-mail: jsuchome@xxxxxxx
Lihovarská 1060/12 tel: +420 284 028 960
190 00 Praha 9, Czech Republic http://www.suse.cz
< Previous Next >
Follow Ups
References