If I remove the pass_min_len its fine but even if I remove the lines for cracklib and it will still put it in /etc/security/pam_pwcheck.conf
During our testing with Novell it was stated that /etc/security/pam_pwcheck.conf must be
--snip-- /etc/security/pam_pwcheck.conf password: blowfish nullok --snip--
I just want to see if there is a better method to set the complex password settings like ocredit ucredit minlen retry difok and correctly set /etc/security/pam_pwcheck.conf using the templates without having to over write each of /etc/pam.d/passwd /etc/login.defs /etc/security/pam_pwcheck.conf
Thanks
-----Original Message----- From: Jiří Suchomel [mailto:jsuchome@suse.cz] Sent: Monday, June 16, 2008 8:42 AM To: opensuse-autoinstall@opensuse.org Cc: Justin Lim Subject: Re: [opensuse-autoinstall] complex password
On čt 12. června 2008, Justin Lim wrote:
Hello,
I am trying to setup some complex password settings and is having some problems with both SLES9 and SLES10.
In my autoyast template I have the following <security> section <security> <console_shutdown>ignore</console_shutdown> <cwd_in_root_path>no</cwd_in_root_path> <fail_delay>5</fail_delay> <faillog_enab>yes</faillog_enab> <lastlog_enab>yes</lastlog_enab> <encryption>blowfish</encryption> <pass_max_days>60</pass_max_days> <pass_min_days>0</pass_min_days> <pass_warn_age>10</pass_warn_age> <pass_max_len>20</pass_max_len> <pass_min_len>10</pass_min_len> <passwd_use_cracklib>yes</passwd_use_cracklib> <permission_security>secure</permission_security> </security>
This would generate /etc/security/pam_pwcheck.conf to be Password: minlen=20 cracklib blowfish nullok
And also in /etc/login.defs sets PASS_MAX_DAYS 60 PASS_MIN_DAYS 0 PASS_WARN_AGE 10
However when setting up complex passwords using the xlimits on /etc/pam.d/passwd ie more /etc/pam.d/passwd #%PAM-1.0 auth required pam_unix2.so nullok account required pam_unix2.so password required pam_pwcheck.so password required pam_cracklib.so use_first_pass use_authtok no_obscure_checks retry=3 minlen=11 difok=-1 dcredit=-1 ucredit=- 1 password required pam_pwcheck.so use_authtok remember=12 password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so
having the /etc/security/pam_pwcheck.conf as above will break it. So /etc/security/pam_pwcheck.conf would have to be changed to the following Password: blowfish nullok
I'm not sure if I understand: do you really only need to have final /etc/security/pam_pwcheck.conf as written just above?
So why do you want to set minlen and cracklib to yes in security section?
Jiri