I know the host that does the email. I know all the hosts that do not do it. They all run seccheck
START_SECCHK=yes in /etc/sysconfig/seccheck
They all have john installed and when I run it does show the same usernames with the weak passwords. What I can not figure out is why only this one system generates the emails. They either all should or all not. But this one system is the only one that does. I am stupped as to what is different.
JOHN is not used at all, and in fact, is not a rpm dependency for secchk. /usr/lib/secchk/checkneverlogin is the only file that contains the word 'weak', so I suppose the "bug" is there. This script does not use john, but uses "lastlog", and an administrator is free to not have any lastlog file in /var/log at all, which means "last logged in" events are not recorded at all. Or in short: The host where seccheck warns about weak passwords is ok, all the other hosts lack a /var/log/lastlog *OR* said users with "weak passwords" fulfill the following conditions (1) never changed their initial password AND (2) never logged in on that particular machine Since you replicate the password database (/etc/shadow or others), a user may change his "weak" password into a good one, without the host noticing. In other words, the script that checks for weak passwords (1) ASSUMES that you have to login ON THAT PARTICULAR MACHINE to change your password. (2) ASSUMES that once you have logged in to that particular machine you are going to change your password - which is a wrong assumption. Password change is often not enforced on first login. File a bug report for (2).
I have been going through /etc/sysconfig and all the files are the same with the execptions of where they should be different because of system names.
Thanks,
-- Boyd Gerber
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
-`J' -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org