On Mon, 6 Nov 2006, Jan Engelhardt wrote:
I know the host that does the email. I know all the hosts that do not do it. They all run seccheck
START_SECCHK=yes in /etc/sysconfig/seccheck
They all have john installed and when I run it does show the same usernames with the weak passwords. What I can not figure out is why only this one system generates the emails. They either all should or all not. But this one system is the only one that does. I am stupped as to what is different.
The file that generates the email is in /usr/lib/secchk. It is security-weekly.sh. Which is what I wanted to know. So thanks.
Since you replicate the password database (/etc/shadow or others), a user may change his "weak" password into a good one, without the host noticing.
In other words, the script that checks for weak passwords
(1) ASSUMES that you have to login ON THAT PARTICULAR MACHINE to change your password.
(2) ASSUMES that once you have logged in to that particular machine you are going to change your password - which is a wrong assumption. Password change is often not enforced on first login. File a bug report for (2).
The strange problem is that I ssh to the machine that send's me the email
daily. I do not use the KDE login. I have used it 3 times on this
machine. On one of the machines that does not send me an email I do log
on to it daily with ssh as well, but I do use the KDE login on it daily.
So I have my question answered. I wanted to know what program did it.
Now I just have to understand why one machine judges the exact same
password as OK on one machine but insecure on an other. At least I now
know what I am looking for.
Thanks,
--
Boyd Gerber