[opensuse-autoinstall] complex password
Hello, I am trying to setup some complex password settings and is having some problems with both SLES9 and SLES10. In my autoyast template I have the following <security> section <security> <console_shutdown>ignore</console_shutdown> <cwd_in_root_path>no</cwd_in_root_path> <fail_delay>5</fail_delay> <faillog_enab>yes</faillog_enab> <lastlog_enab>yes</lastlog_enab> <encryption>blowfish</encryption> <pass_max_days>60</pass_max_days> <pass_min_days>0</pass_min_days> <pass_warn_age>10</pass_warn_age> <pass_max_len>20</pass_max_len> <pass_min_len>10</pass_min_len> <passwd_use_cracklib>yes</passwd_use_cracklib> <permission_security>secure</permission_security> </security> This would generate /etc/security/pam_pwcheck.conf to be Password: minlen=20 cracklib blowfish nullok And also in /etc/login.defs sets PASS_MAX_DAYS 60 PASS_MIN_DAYS 0 PASS_WARN_AGE 10 However when setting up complex passwords using the xlimits on /etc/pam.d/passwd ie more /etc/pam.d/passwd #%PAM-1.0 auth required pam_unix2.so nullok account required pam_unix2.so password required pam_pwcheck.so password required pam_cracklib.so use_first_pass use_authtok no_obscure_checks retry=3 minlen=11 difok=-1 dcredit=-1 ucredit=- 1 password required pam_pwcheck.so use_authtok remember=12 password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so having the /etc/security/pam_pwcheck.conf as above will break it. So /etc/security/pam_pwcheck.conf would have to be changed to the following Password: blowfish nullok So when I got in touch with novell support they asked me to use <file> to overwrite the /etc/security/pam_pwcheck.conf and /etc/pam/passwd and also /etc/login.defs but is there any other solutions than to just over write the files ? Thanks -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
On čt 12. června 2008, Justin Lim wrote:
Hello,
I am trying to setup some complex password settings and is having some problems with both SLES9 and SLES10.
In my autoyast template I have the following <security> section <security> <console_shutdown>ignore</console_shutdown> <cwd_in_root_path>no</cwd_in_root_path> <fail_delay>5</fail_delay> <faillog_enab>yes</faillog_enab> <lastlog_enab>yes</lastlog_enab> <encryption>blowfish</encryption> <pass_max_days>60</pass_max_days> <pass_min_days>0</pass_min_days> <pass_warn_age>10</pass_warn_age> <pass_max_len>20</pass_max_len> <pass_min_len>10</pass_min_len> <passwd_use_cracklib>yes</passwd_use_cracklib> <permission_security>secure</permission_security> </security>
This would generate /etc/security/pam_pwcheck.conf to be Password: minlen=20 cracklib blowfish nullok
And also in /etc/login.defs sets PASS_MAX_DAYS 60 PASS_MIN_DAYS 0 PASS_WARN_AGE 10
However when setting up complex passwords using the xlimits on /etc/pam.d/passwd ie more /etc/pam.d/passwd #%PAM-1.0 auth required pam_unix2.so nullok account required pam_unix2.so password required pam_pwcheck.so password required pam_cracklib.so use_first_pass use_authtok no_obscure_checks retry=3 minlen=11 difok=-1 dcredit=-1 ucredit=- 1 password required pam_pwcheck.so use_authtok remember=12 password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so
having the /etc/security/pam_pwcheck.conf as above will break it. So /etc/security/pam_pwcheck.conf would have to be changed to the following Password: blowfish nullok
I'm not sure if I understand: do you really only need to have final /etc/security/pam_pwcheck.conf as written just above? So why do you want to set minlen and cracklib to yes in security section? Jiri -- Jiri Suchomel SUSE LINUX, s.r.o. e-mail: jsuchome@suse.cz Lihovarská 1060/12 tel: +420 284 028 960 190 00 Praha 9, Czech Republic http://www.suse.cz
If I remove the pass_min_len its fine but even if I remove the lines for cracklib and it will still put it in /etc/security/pam_pwcheck.conf During our testing with Novell it was stated that /etc/security/pam_pwcheck.conf must be --snip-- /etc/security/pam_pwcheck.conf password: blowfish nullok --snip-- I just want to see if there is a better method to set the complex password settings like ocredit ucredit minlen retry difok and correctly set /etc/security/pam_pwcheck.conf using the templates without having to over write each of /etc/pam.d/passwd /etc/login.defs /etc/security/pam_pwcheck.conf Thanks -----Original Message----- From: Jiří Suchomel [mailto:jsuchome@suse.cz] Sent: Monday, June 16, 2008 8:42 AM To: opensuse-autoinstall@opensuse.org Cc: Justin Lim Subject: Re: [opensuse-autoinstall] complex password On čt 12. června 2008, Justin Lim wrote:
Hello,
I am trying to setup some complex password settings and is having some problems with both SLES9 and SLES10.
In my autoyast template I have the following <security> section <security> <console_shutdown>ignore</console_shutdown> <cwd_in_root_path>no</cwd_in_root_path> <fail_delay>5</fail_delay> <faillog_enab>yes</faillog_enab> <lastlog_enab>yes</lastlog_enab> <encryption>blowfish</encryption> <pass_max_days>60</pass_max_days> <pass_min_days>0</pass_min_days> <pass_warn_age>10</pass_warn_age> <pass_max_len>20</pass_max_len> <pass_min_len>10</pass_min_len> <passwd_use_cracklib>yes</passwd_use_cracklib> <permission_security>secure</permission_security> </security>
This would generate /etc/security/pam_pwcheck.conf to be Password: minlen=20 cracklib blowfish nullok
And also in /etc/login.defs sets PASS_MAX_DAYS 60 PASS_MIN_DAYS 0 PASS_WARN_AGE 10
However when setting up complex passwords using the xlimits on /etc/pam.d/passwd ie more /etc/pam.d/passwd #%PAM-1.0 auth required pam_unix2.so nullok account required pam_unix2.so password required pam_pwcheck.so password required pam_cracklib.so use_first_pass use_authtok no_obscure_checks retry=3 minlen=11 difok=-1 dcredit=-1 ucredit=- 1 password required pam_pwcheck.so use_authtok remember=12 password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so
having the /etc/security/pam_pwcheck.conf as above will break it. So /etc/security/pam_pwcheck.conf would have to be changed to the following Password: blowfish nullok
I'm not sure if I understand: do you really only need to have final /etc/security/pam_pwcheck.conf as written just above? So why do you want to set minlen and cracklib to yes in security section? Jiri -- Jiri Suchomel SUSE LINUX, s.r.o. e-mail: jsuchome@suse.cz Lihovarská 1060/12 tel: +420 284 028 960 190 00 Praha 9, Czech Republic http://www.suse.cz -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
participants (2)
-
Jiří Suchomel -
Justin Lim