From what I gather, I need to enable md5 for some or all of those. Which ones? And do I just add the string md5 after the rest of the `module-arguments'? All of them? Do I only need to add md5 to
Greetings, I think I'm too stupid to figure this out, but I've never *had* to figure this out before. :-) I'm trying to up the password length greater than 8. I checked the archives, which lead me to /etc/login.defs concerning PASS_MAX_LEN: # Ignored if the "md5" option is given to the pam_pwcheck module. No idea what that is. So then the archives led me to the configuration files in /etc/pam.d and then found the documentation in /usr/share/doc/packages/pam/modules. So.. % egrep pam_pwcheck /etc/pam.d/* chfn:password required /lib/security/pam_pwcheck.so nullok chsh:password required /lib/security/pam_pwcheck.so nullok login:password required /lib/security/pam_pwcheck.so nullok use_cracklib other:password required /lib/security/pam_pwcheck.so use_cracklib passwd:password required /lib/security/pam_pwcheck.so nullok use_cracklib sshd:password required pam_pwcheck.so sshd.rpmsave:password required /lib/security/pam_pwcheck.so use_cracklib the pam_pwcheck module, or the others in each configuration file also? The docs mention `bigcrypt'. Should I still use md5? % man -k bigcrypt bigcrypt: nothing appropriate. I already have two or three users on the system other than root, so when this is set up correctly, should I just get the users to run passwd again to reset the longer-than-8-passwords? Sorry if I sound silly, but I'm seriously confused. I can't believe this isn't enabled by default. :-\ Thanks, -- -Brian Clark | PGP is spoken here: 0xE4D0C7C8 Please, DO NOT carbon copy me on list replies.
I think I'm too stupid to figure this out, but I've never *had* to figure this out before. :-) I'm trying to up the password length greater than 8. Read /usr/share/doc/packages/pam/README.md5
hth Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \ Linux 2.4.12-grsec-1.8.2 * Now playing Live - V - 12 - Ok
Hi Markus, @ 3:35:57 AM on 10/20/2001, Markus Gaugusch wrote:
Read /usr/share/doc/packages/pam/README.md5
Should I be concerned about this? "Since MD5 encryption is not compatible with the standard Unix crypt() function, most commercial Unices and some programs don't work with MD5 passwords. So be careful, if you enable this feature." Have any of you experienced any problems with it? The machine is going to be a mail/www/ftp server, if that makes any difference. -- -Brian Clark | PGP is spoken here: 0xE4D0C7C8 Please, DO NOT carbon copy me on list replies.
Unless you are NIS or reeeeeeeeeeeeeeally old programs that don't speak PAM
it's a non issue. Most vendors (i.e. redhat, etc) shit with md5 passwords as
the default.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
----- Original Message -----
From: "Brian Clark"
Hi Markus,
@ 3:35:57 AM on 10/20/2001, Markus Gaugusch wrote:
Read /usr/share/doc/packages/pam/README.md5
Should I be concerned about this?
"Since MD5 encryption is not compatible with the standard Unix crypt() function, most commercial Unices and some programs don't work with MD5 passwords. So be careful, if you enable this feature."
Have any of you experienced any problems with it?
The machine is going to be a mail/www/ftp server, if that makes any difference.
-- -Brian Clark | PGP is spoken here: 0xE4D0C7C8 Please, DO NOT carbon copy me on list replies.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Kurt, @ 1:48:31 AM on 10/21/2001, Kurt Seifried wrote:
Unless you are NIS or reeeeeeeeeeeeeeally old programs that don't speak PAM it's a non issue. Most vendors (i.e. redhat, etc) shit ^^^ shi-Puh? ;-) with md5 passwords as the default.
Cool.. that's what I wanted to hear, great. 2.4.12 just booted and the password problem is answered so I guess today is my lucky day. You guys are great. Much thanks. -- -Brian Clark | PGP is spoken here: 0xE4D0C7C8 Please, DO NOT carbon copy me on list replies.
* Kurt Seifried wrote on Sat, Oct 20, 2001 at 23:48 -0600:
Unless you are NIS
Did anybody had problems with NIS+MD5? At least in a "PAM-only" environment (i.e. SuSE>7.0 or so) NIS+MD5 should work, shouldn't it? I'm using this on a few hosts without problems. I would expect problems when having i.e. Solaris clients or so, but not when using linux PAM clients. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Wed, 24 Oct 2001 12:27:16 +0200
Steffen Dettmer
* Kurt Seifried wrote on Sat, Oct 20, 2001 at 23:48 -0600:
Unless you are NIS
Did anybody had problems with NIS+MD5? At least in a "PAM-only" environment (i.e. SuSE>7.0 or so) NIS+MD5 should work, shouldn't it? I'm using this on a few hosts without problems. I would expect problems when having i.e. Solaris clients or so, but not when using linux PAM clients.
I am still having problems with qpop+pam+md5 :-( -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
* Peter Nixon wrote on Wed, Oct 24, 2001 at 13:28 +0300:
Steffen Dettmer
wrote: Did anybody had problems with NIS+MD5? At least in a "PAM-only"
I am still having problems with qpop+pam+md5 :-(
I use vmailmgr - I haven't tried it with MD5 (if it's supported at all)... Did you asked you question in a qpop related mailing list? Maybe there is just some "trick"? BTW, I would like if you could post the solution in this list (nice to have the answers in the archives, too, not the questions only :)). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Sat, 20 Oct 2001 22:10:14 -0400
Brian Clark
Hi Markus,
@ 3:35:57 AM on 10/20/2001, Markus Gaugusch wrote:
Read /usr/share/doc/packages/pam/README.md5
Should I be concerned about this?
"Since MD5 encryption is not compatible with the standard Unix crypt() function, most commercial Unices and some programs don't work with MD5 passwords. So be careful, if you enable this feature."
Have any of you experienced any problems with it?
The machine is going to be a mail/www/ftp server, if that makes any difference.
-- -Brian Clark | PGP is spoken here: 0xE4D0C7C8 Please, DO NOT carbon copy me on list replies.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
# telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK POP3 [0.0.0.0] v2000.70 server ready user test1 +OK User name accepted, password please pass password1 -ERR Bad login quit +OK Sayonara Connection closed by foreign host. # telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK POP3 [0.0.0.0] v2000.70 server ready user test2 +OK User name accepted, password please pass password2 +OK Mailbox open, 0 messages list +OK Mailbox scan listing follows . quit +OK Sayonara Connection closed by foreign host. # rpm -qf /usr/sbin/ipop3d imap-2000c-44 User 1 has a md5 password, and user2 has a des password. Anyone at suse know why this is the case? This box is SuSE 7.2 minimum install + harden_suse + postfix + sasl + openssl + sslwrap + security patches Does ipop3d not use pam?? I'm pretty sure I have used qpopper before plenty of times with md5 hashes... just about to test it again now.. -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
On Sun, 21 Oct 2001 19:20:20 +0300
Peter Nixon
On Sat, 20 Oct 2001 22:10:14 -0400 Brian Clark
wrote: Hi Markus,
@ 3:35:57 AM on 10/20/2001, Markus Gaugusch wrote:
Read /usr/share/doc/packages/pam/README.md5
Should I be concerned about this?
"Since MD5 encryption is not compatible with the standard Unix crypt() function, most commercial Unices and some programs don't work with MD5 passwords. So be careful, if you enable this feature."
Have any of you experienced any problems with it?
The machine is going to be a mail/www/ftp server, if that makes any difference.
-- -Brian Clark | PGP is spoken here: 0xE4D0C7C8 Please, DO NOT carbon copy me on list replies.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
# telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK POP3 [0.0.0.0] v2000.70 server ready user test1 +OK User name accepted, password please pass password1 -ERR Bad login quit +OK Sayonara Connection closed by foreign host.
# telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK POP3 [0.0.0.0] v2000.70 server ready user test2 +OK User name accepted, password please pass password2 +OK Mailbox open, 0 messages list +OK Mailbox scan listing follows . quit +OK Sayonara Connection closed by foreign host.
# rpm -qf /usr/sbin/ipop3d imap-2000c-44
User 1 has a md5 password, and user2 has a des password. Anyone at suse know why this is the case? This box is SuSE 7.2 minimum install + harden_suse + postfix + sasl + openssl + sslwrap + security patches
Does ipop3d not use pam??
I'm pretty sure I have used qpopper before plenty of times with md5 hashes... just about to test it again now..
As a followup, if I replace ipop3d with qpopper I get the following.. # telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK ready <8917.1003650575@hidden.com> user test2 +OK Password required for test2. pass password2 +OK peter has 0 visible messages (0 hidden) in 0 octets. quit +OK Pop server at hidden.com signing off. Connection closed by foreign host. # telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK ready <8919.1003650587@hidden.com> user test1 -ERR [AUTH] You must use stronger authentication such as AUTH SCRAM-MD5 or APOP to connect to this server quit +OK Pop server at hidden.com signing off. Connection closed by foreign host. however on my notebook which is also SuSE 7.2 and running qpopper etc etc if I do the same thing with a md5 user I get # telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK ready <3919.1003682515@nix-notebook> user test +OK Password required for test. pass password +OK nix has 0 visible messages (0 hidden) in 0 octets. quit +OK Pop server at nix-notebook signing off. Connection closed by foreign host. If I test ipop3d however, it fails as per the other machine.. Does anyone know why this would be? Both machines are: #rpm -q qpopper qpopper-3.1.2-48 There must be something else different.... pam libraries or something? Any suggestions appreciated... -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
On Sat, 20 Oct 2001, Brian Clark wrote:
Hi Markus,
@ 3:35:57 AM on 10/20/2001, Markus Gaugusch wrote:
Read /usr/share/doc/packages/pam/README.md5
Should I be concerned about this?
"Since MD5 encryption is not compatible with the standard Unix crypt() function, most commercial Unices and some programs don't work with MD5 passwords. So be careful, if you enable this feature."
Have any of you experienced any problems with it?
The machine is going to be a mail/www/ftp server, if that makes any difference.
Basically this means that rlogin and friends won't work if you're crossing to a non-md5 passworded machine. But rlogin is not your friend in a secure installation anyway -- right? Bear
On Friday 19 October 2001 20:18, Brian Clark wrote:
Greetings,
I think I'm too stupid to figure this out, but I've never *had* to figure this out before. :-) I'm trying to up the password length greater than 8.
Hi, Try Yast2 - it's in there. Yast2 -> Security&Users -> Security Settings -> (select appropriate option) Then click on the "Details" button - you'll figure it out. John
Hi John, @ 1:13:39 PM on 10/20/2001, John Pinder wrote:
I think I'm too stupid to figure this out, but I've never *had* to figure this out before. :-) I'm trying to up the password length greater than 8.
Try Yast2 - it's in there. Yast2 -> Security&Users -> Security Settings -> (select appropriate option) Then click on the "Details" button - you'll figure it out.
I take it I can't do this remotely, even after having su'd to root? It tells me `You need to be logged in as root in order to do this.' Ugh, so I guess I'll be doing some driving tonight.. -- -Brian Clark | PGP is spoken here: 0xE4D0C7C8 Please, DO NOT carbon copy me on list replies.
try "su -" before you start driving. Kurt
Hi Kurt, @ 8:15:40 PM on 10/20/2001, Kurt Seifried wrote:
try "su -" before you start driving.
Yep, :-) already been there. Same result. :-\ -- -Brian Clark | PGP is spoken here: 0xE4D0C7C8 Please, DO NOT carbon copy me on list replies.
On Saturday 20 October 2001 17:07, Brian Clark wrote:
Hi John, [snip] I take it I can't do this remotely, even after having su'd to root?
It tells me `You need to be logged in as root in order to do this.'
Ugh, so I guess I'll be doing some driving tonight.. [snip]
Hi Brian, I think it that you have already figured out how to do this, but since it may help someone else I thought I might point out that Yast2 will give you the "You must be logged in as root . . ." message when invoked over a network connection even if you are logged in as root. Select the module you want to launch, then just hit the "tab" key until the "launch module" selection is highlighted (bottom, left corner), and then press "Enter" - if you are logged in as root, the module should launch and you can then proceed to do what you need to do. Also, if you find Yast2 to be a nuisance, yast (just plain yast) can provide *most* of the same functionality. Yast2 does not like to cooperate when you log in via ssh as a normal user, then su to root. Since many people disable root logins via ssh, using yast2 may be difficult over a network connection - but yast (not yast2) will work just fine. For example to use yast (not yast2), with the password length issue: yast -> system administration -> security settings -> configuration of /etc/login.defs will also allow you to apply the settings remotely. I would have suggested yast (as opposed to yast2) if I had realized you needed to change the settings remotely (but since I didn't . . .) John
participants (7)
-
Brian Clark
-
John Pinder
-
Kurt Seifried
-
Markus Gaugusch
-
Peter Nixon
-
Ray Dillinger
-
Steffen Dettmer