security

dj Wed, 04 Jul 2007 10:46:43 -0700

Author: dj
Date: 2007-07-04 11:46:38 -0600 (Wed, 04 Jul 2007)
New Revision: 6834


Modified:
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/postlfs/security/shadow.xml
Log:
Set pam_cracklib to defaults and added security note.

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml       2007-07-04 11:44:25 UTC 
(rev 6833)
+++ trunk/BOOK/introduction/welcome/changelog.xml       2007-07-04 17:46:38 UTC 
(rev 6834)
@@ -47,6 +47,10 @@
         <listitem>
           <para>[randy] - Updated to libxlst-1.1.21.</para>
         </listitem>
+        <listitem>
+          <para>[dj] - Modified Linux-PAM configuration to use cracklib
+          defaults.</para>
+        </listitem>
       </itemizedlist>
     </listitem>
 

Modified: trunk/BOOK/postlfs/security/shadow.xml
===================================================================
--- trunk/BOOK/postlfs/security/shadow.xml      2007-07-04 11:44:25 UTC (rev 
6833)
+++ trunk/BOOK/postlfs/security/shadow.xml      2007-07-04 17:46:38 UTC (rev 
6834)
@@ -358,9 +358,7 @@
 session     optional       pam_mail.so      dir=/var/mail standard
 session     optional       pam_lastlog.so
 session     required       pam_unix.so
-password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
-                                            dcredit=3 ocredit=3 \
-                                            ucredit=2 lcredit=2
+password    required       pam_cracklib.so  retry=3 
 password    required       pam_unix.so      md5 shadow use_authtok
 
 # End /etc/pam.d/login</literal>
@@ -398,14 +396,23 @@
 <screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
 <literal># Begin /etc/pam.d/passwd
 
-password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
-                                            dcredit=3  ocredit=3 \
-                                            ucredit=2  lcredit=2
+password    required       pam_cracklib.so  type=Linux retry=1 \
+                                            difok=5 diffignore=23 minlen=9 \
+                                            dcredit=1 ucredit=1 lcredit=1 \
+                                            ocredit=1 \
+                                            dictpath=/lib/cracklib/pw_dict 
 password    required       pam_unix.so      md5 shadow use_authtok
 
 # End /etc/pam.d/passwd</literal>
 EOF</userinput></screen>
 
+        <note><para>In its default configuration, owing to credits,
+        pam_cracklib will allow multiple case passwords as short as 6
+        characters, even with the <parameter>minlen</parameter> value
+        set to 11.  You should review the pam_cracklib(8) man page and
+        determine if these default values are acceptable for the security
+        of your system.</para></note>
+
       </sect4>
 
       <sect4>

-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

r6834 - in trunk/BOOK: introduction/welcome postlfs/security

Reply via email to