Re: Shadow/CrackLib - A compromise?
On Sun, Aug 07, 2005 at 10:46:56PM -0700, Jim Gifford wrote: The point is it's not needed, it's in BLFS where it belongs. Yes, but this way it is known at the time when it would be most convenient. I personally don't see it as being any different than linking to a hint and it is a powerful tool to protect an admin from luser's passwords (not that those same lusers won't just write it on a sticky note, but I digress). -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
On Mon, Aug 08, 2005 at 12:54:34AM -0500, Randy McMurchy wrote: This would work. I would use [command] tags for the word 'sed' and I would for sure make the '-e ...' stuff in a [literal] tag so that it is all on one line though. Hrmm, literal, eh? I used para, but I'll make a render with literal. I'm guessing by the name of the tag, that parameter would not be used? -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
On Mon, Aug 08, 2005 at 12:57:56AM -0500, Randy McMurchy wrote: Exploiting weak passwords are the single most widely used method to gain access to a machine. FWIW, the SANS Top 20 lists weak passwords as the 5th likeliest vulnerability in Windows, and the 3rd likeliest in Linux. For linux, #'s 1 and 2 are both server-specific and therefore not applicable to LFS. -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Randy McMurchy wrote: From a technical standpoint Jim, you are just simply wrong. Exploiting weak passwords are the single most widely used method to gain access to a machine. What's needed is a way to enforce a password scheme, passwords greater than 8 characters, must contain alpha characters and numeric characters. ie dinf3102. Not something that checks a word file, I would go for a password scheme enforcement solution for shadow or even a replacement of shadow altogether. -- -- [EMAIL PROTECTED] [EMAIL PROTECTED] LFS User # 2577 Registered Linux User # 299986 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
On Mon, Aug 08, 2005 at 12:01:51AM -0600, Archaic wrote: Hrmm, literal, eh? I used para, but I'll make a render with literal. I'm guessing by the name of the tag, that parameter would not be used? Literal, by itself, doesn't seem to influence line wrapping, but I do prefer the font used with literal vs. parameter. Alas, short of someone giving me an XML cluebat, I'll put the actual -e string inside it's own set of para tags. At this time, I will leave literal in there because the font looks nicer (heh, I know, bad reason). ;) -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Jim Gifford wrote these words on 08/08/05 01:17 CST: Not something that checks a word file, I would go for a password scheme enforcement solution for shadow or even a replacement of shadow altogether. Well great, Jim. We are getting somewhere. You obviously agree that a solution to provide better password security for LFS is a good thing. Cracklib is a step in the right direction, and can be implemented immediately. We can use it while you are researching the Shadow replacement packages. After you complete your research, and post your finding to this list, we will all have a chance to review and comment on your suggestion. Then, after a thorough discussion, we can determine if Shadow should be replaced. If replacing Shadow is not feasible, then please, submit alternative suggestions for password enforcement schemes. But to just blindly disagree with something we have at our disposal *right now*, that works, is just being disagreeable for no reason. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 01:22:00 up 128 days, 55 min, 5 users, load average: 0.06, 0.55, 0.71 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Okay, give a look: http://www.linuxfromscratch.org/~archaic/lfs-trunk/chapter06/shadow.html -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Archaic wrote these words on 08/08/05 01:25 CST: Literal, by itself, doesn't seem to influence line wrapping, I suppose I shouldn't have made literal, so [literal] :-) I was more thinking of things like [screen][userinput] type tags that force stuff to be on one line and be 'literal' (as to what is encapsulated). -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 01:27:01 up 128 days, 1:00, 5 users, load average: 0.29, 0.40, 0.59 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Archaic wrote these words on 08/08/05 01:33 CST: Okay, give a look: That looks good. The only thing is perhaps: s/add/insert/ in the sentence. No telling how many folks will try to add (append) the -e script to the command instead of inserting where it belongs. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 01:37:02 up 128 days, 1:10, 5 users, load average: 0.08, 0.15, 0.35 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
The only solution right now is to add PAM with this module http://www.openwall.com/passwdqc. So you will need to get support for adding PAM and cracklib to LFS, which I'm not sure the community will support. -- -- [EMAIL PROTECTED] [EMAIL PROTECTED] LFS User # 2577 Registered Linux User # 299986 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
On Mon, Aug 08, 2005 at 01:32:32AM -0500, Randy McMurchy wrote: I was more thinking of things like [screen][userinput] type tags that force stuff to be on one line and be 'literal' (as to what is encapsulated). Hrmm. Well if it is deemed to be more accurate using screen tags as opposed to just para tags, that is easily fixed, but since we aren't actually typing in the command as seen, but rather inserting it into another command, I don't know if screen would be semantically correct, either. I'll let Manuel or Matt decide. For now, the 2nd note is there. I'm about to commit it so that at least the instructions aren't broken (i.e. no mention of the extra sed) at the next render. -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Jim Gifford wrote these words on 08/08/05 01:40 CST: So you will need to get support for adding PAM and cracklib to LFS, which I'm not sure the community will support. It was about 50-50 running with the CrackLib idea, however, some of the positives about CrackLib were adamant that PAM could *never* be an LFS package. I can't see PAM *ever* being LFS material. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 01:42:00 up 128 days, 1:15, 5 users, load average: 0.26, 0.20, 0.31 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Archaic wrote: I think PAM is evil. ;) Smiley noted, but do you really think this? In many cases it is unnecessary, but it is really useful in others. For instance, in a distributed system it is the only way I know of to use LDAP centralized passwords. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
El Lunes, 8 de Agosto de 2005 08:42, Archaic escribió: Hrmm. Well if it is deemed to be more accurate using screen tags as opposed to just para tags, that is easily fixed, but since we aren't actually typing in the command as seen, but rather inserting it into another command, I don't know if screen would be semantically correct, either. I'll let Manuel or Matt decide. The use of [screen] is fine for both look consistency and to prevent unwanted line wrapping, not only on PDF output, but also in browsers with a window size smaller than the actual command. About the child tag, [literal] is semantically correct due that the sed script must be typed literally, but isn't a command on their own, then [userinput] don't fit well here. Plus, using [literal] the font size used will be normal instead of bold, making most notable that is an optional step. Committing that small fix now. -- Manuel Canales Esparcia Usuario de LFS nº2886: http://www.linuxfromscratch.org LFS en castellano: http://www.escomposlinux.org/lfs-es http://www.lfs-es.com TLDP-ES: http://es.tldp.org -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Randy McMurchy wrote: Hi all, Well, I must say I thoroughly enjoyed the debate about adding CrackLib to LFS. There was a bunch of ideas thrown around. It seemed healthy for the list. Yep, I enjoyed it too. I was supposed to post my summary over the weekend, but Real Life got in the way as it seems to have a habit of doing just lately. In the Shadow instructions, a little note at the beginning of the package instructions saying that if you would like the system configured to support strong passwords, install CrackLib and add --with-libcrack to the configure script. That's what I was going to advocate doing, I think it was Justin that originally suggested it. I now see that Archaic went ahead and made the necessary changes, with a bit of tweaking from Manuel. Good work guys, thanks to everyone for their input! Regards, Matt. -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Randy, Have your verified that the bug with cracklib that was posted in BLFS from a long time back has been fixed. Here is what I remember of the bug. I know this issue had to deal with PAM but we had some complaints about it not working without PAM, the cause was due to cracklib being a shared library. Just curious. http://archives.linuxfromscratch.org/mail-archives/blfs-support/2004-August/051475.html -- -- [EMAIL PROTECTED] [EMAIL PROTECTED] LFS User # 2577 Registered Linux User # 299986 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Jim Gifford wrote these words on 08/08/05 15:26 CST: Have your verified that the bug with cracklib that was posted in BLFS from a long time back has been fixed. Here is what I remember of the bug. I know this issue had to deal with PAM but we had some complaints about it not working without PAM, the cause was due to cracklib being a shared library. Just curious. http://archives.linuxfromscratch.org/mail-archives/blfs-support/2004-August/051475.html Yes. This bug has been fixed. And much of it was because apparently someone from the LFS community sent in bug reports (I thought that was you!) and the specific words we found that caused the issues are now in the CrackLib test suite, which is run during the BLFS installation. To the best of my knowledge, this bug can no longer be reproduced, with PAM, or without. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 15:31:00 up 128 days, 15:04, 2 users, load average: 0.00, 0.09, 0.32 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
On Mon, Aug 08, 2005 at 10:08:44AM -0500, Bruce Dubbs wrote: Smiley noted, but do you really think this? In many cases it is unnecessary, but it is really useful in others. For instance, in a distributed system it is the only way I know of to use LDAP centralized passwords. Radius and LDAP work swimmingly. :) -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Shadow/CrackLib - A compromise?
Hi all, Well, I must say I thoroughly enjoyed the debate about adding CrackLib to LFS. There was a bunch of ideas thrown around. It seemed healthy for the list. Anyway, some of the folks who provided arguments why CrackLib should not be added had very good ideas about LFS, goals, etc. I tend to agree with those that said they didn't like the idea that CrackLib be forced into the build. Hey, if you don't want it, don't install it! There is merit in those words. However, to me, it is negligent on our part to completely omit a mention of CrackLib in LFS. That said, how about this for a compromise: In the Shadow instructions, a little note at the beginning of the package instructions saying that if you would like the system configured to support strong passwords, install CrackLib and add --with-libcrack to the configure script. It could probably be done in one sentence, two max, with a link to the BLFS CrackLib instructions. This informs folks that there is a mechanism available by installing one simple package to enforce strong passwords, and keeps the BLFS guys from having to modify the BLFS Shadow instructions to include a way to re-install Shadow without PAM and still have CrackLib available. What say the group? -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 20:40:00 up 127 days, 20:13, 5 users, load average: 0.00, 0.03, 0.17 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Randy McMurchy wrote: In the Shadow instructions, a little note at the beginning of the package instructions saying that if you would like the system configured to support strong passwords, install CrackLib and add --with-libcrack to the configure script. It could probably be done in one sentence, two max, with a link to the BLFS CrackLib instructions. Maybe change support to either enforce or require (cracklib doesn't actually change the way passwords are hashed or anything; it just checks them against a dictionary). But yeah, this sounds like a good idea to me. :-) signature.asc Description: OpenPGP digital signature -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Randy McMurchy wrote: In the Shadow instructions, a little note at the beginning of the package instructions saying that if you would like the system configured to support strong passwords, install CrackLib and add --with-libcrack to the configure script. +1 Justin -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
On Sun, Aug 07, 2005 at 08:50:59PM -0500, Randy McMurchy wrote: It could probably be done in one sentence, two max, with a link to the BLFS CrackLib instructions. How's this wording grab you? http://www.linuxfromscratch.org/~archaic/lfs-trunk/chapter06/shadow.html -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Archaic wrote these words on 08/07/05 22:55 CST: How's this wording grab you? I feel terrible. I have made a huge mistake. There is another configuration that must be done for Shadow to use CrackLib. In the command that creates the /etc/login.defs file, the following addition to the existing sed command is necessary: -e s|CRACKLIB_DICTPATH\t/var/cache/cracklib/cracklib_dict|CRACKLIB_DICTPATH\t/lib/cracklib/pw_dict| I'm sorry about the late notice, however, I'm glad I went back and looked at my build notes. Is there any way you can work this into the instructions, without them becoming too difficult for folks to understand? -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 23:17:00 up 127 days, 22:50, 5 users, load average: 1.13, 1.12, 0.77 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Archaic wrote these words on 08/07/05 23:51 CST: I'm wondering if perhaps another note just prior to the original sed would be apropo, or if it should all be placed in the main note. The latter seems rather disconnected to me. I'm thinking it would be best inside the beginning note. 2 reasons. 1) The disconnection you mention 2) The command is long. It prolly won't fit on a PDF page so it needs to be split with a backslash and then *no* spaces before the rest of the command. This would look much better inside the note box than if it were just on the page not inside a box. A short sentence after what you already have saying the following additional script is necessary to the command below that creates the /etc/login.defs file is necessary. Please reword, but you know what I'm driving at. (sed considers any -e data to be a script, phrase it as you feel necessary) -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 23:51:01 up 127 days, 23:24, 5 users, load average: 0.08, 0.08, 0.18 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Randy McMurchy wrote these words on 08/07/05 23:55 CST: I'm thinking it would be best inside the beginning note. 2 reasons. 1) The disconnection you mention 2) The command is long. It prolly won't fit on a PDF page so it needs to be split with a backslash and then *no* spaces before the rest of the command. This would look much better inside the note box than if it were just on the page not inside a box. Sorry for the confusion. I am tired and not thinking good this evening. Of course, the disconnection you mentioned means we need the command before the sed later in the instructions when /etc/login.defs is created. Perhaps a note there as well? It does now make the instructions rather disjointed though, with two different notes about CrackLib in there. Opinions from others are welcome. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 00:01:00 up 127 days, 23:34, 5 users, load average: 0.60, 0.21, 0.17 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: Shadow/CrackLib - A compromise?
Archaic wrote these words on 08/08/05 00:44 CST: As soon as the render is done, you can find the 2 notes example here: http://www.linuxfromscratch.org/~archaic/lfs-trunk/chapter06/shadow.html This would work. I would use [command] tags for the word 'sed' and I would for sure make the '-e ...' stuff in a [literal] tag so that it is all on one line though. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 00:53:00 up 128 days, 26 min, 5 users, load average: 0.28, 0.48, 0.68 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
