| View previous topic :: View next topic |
| Author |
Message |
jcmc2000
n00b
Joined: 19 Apr 2002
Posts: 25
Location: Reston, Virginia
|
 Posted: Wed Apr 23, 2003 6:20 pm Post subject: pam cracklib not working right |
 |
|
I have been following the gentoo security document to lock down a gentoo box. The problem I am running into is that cracklib isn't working the way the pam docs claim it will. when I go in as a regular user and do a password change it lets me use 5 or 6 character passwords even though minlen is set to 8. It does detect when I reverse the old password however, it will let me change the password to old passwords all day.
The config appears to be correct, the module is seen in /lib/security and to make it more fun the debug option isn't working either. I am emerging pam and cracklib again to see what that produces.
here is the /etc/pam.d/password config:
| Code: | auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so difok=4 retry=3 minlen=8 dcredit=2 ocredit=2 ucredit=1
password required /lib/security/pam_pwdb.so md5 use_authtok nullok
session required /lib/security/pam_pwdb.so |
let me know if there is anything else needed to help me track down this problem.
thanks,
jason |
|
| Back to top |
|
 |
jcmc2000
n00b
Joined: 19 Apr 2002
Posts: 25
Location: Reston, Virginia
|
| Posted: Wed Apr 23, 2003 8:47 pm Post subject: |
|
|
for those interested I was incorrect about it accepting 5 -6 character passwords, this was just me not understanding the manual on the first 3 reads. The 4th read was the magic one for me where it made sense. So this works 99%, the problem that is happening:
it still lets me reuse old passwords. The module manual says that old passwords are stored in /etc/security/opasswd this file was never created so I touched it, still not working. So if anyone knows of a way to get this portion working let me know.
thanks,
jason |
|
| Back to top |
|
|
jcmc2000
n00b
Joined: 19 Apr 2002
Posts: 25
Location: Reston, Virginia
|
| Posted: Wed Apr 23, 2003 9:08 pm Post subject: |
|
|
ok, finally got it working. With a little searching I found a post that says to do:
| Code: | | touch /etc/security/opasswd |
the piece that made this work is pam_pwdb.so does not seem to support this password remembering feature, you must use pam_unix.so and then give it the option remember=N where N = is the number of passwords to remember.
so here is the updated working config file:
| Code: | auth required /lib/security/pam_pwdb.so shadow md5 nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so debug difok=4 retry=3 minlen=8 dcredit=-2 ocredit=2 ucredit=1
password required /lib/security/pam_unix.so remember=3 md5 use_authtok nullok
session required /lib/security/pam_pwdb.so
|
enjoy |
|
| Back to top |
|
|
akbarstatx
n00b
Joined: 14 Oct 2002
Posts: 67
Location: Minneapolis, MN
|
| Posted: Tue Apr 25, 2006 4:59 am Post subject: |
|
|
Thanks, you just saved a whole lot of time and grief setting this up. I have a security auditor coming in tomorrow and he will be looking for this kind of setup. The last time I tried I could make it work. This does though thanks.  |
|
| Back to top |
|
|
|
Networking & Security
