Some remaining issues exist, such as the prose not being
quite good yet, and I believe we will also break apart the
OVAL check for minimum length to separately cover the
settings in login.defs and pam_cracklib. But not today.
I'm assuming this is one example of prose that needs
resolution:
<pre>PASS_MIN_LEN=12
<!-- <sub idref="var_password_min_len"> --></pre>
TODO: More research needed to understand exact
interaction: when precisely is this file consulted?
From reading the login.defs and crypt() man-pages, it
appears
that PASS_MIN_LEN is used by crypt() in a
pretty convoluted fashion.
I'm not sure if ENCRYPT_METHOD affects the
functionality, but for the default (DES), it seems that
PASS_MIN_LEN needs to be at least 8 characters
for the encryption to be effective (crypt takes the
lowest 7 bits of the first 8 characters of the password).
For the more applicable MD5 and SHA configurations,
the entire key is used, so maybe PASS_MIN_LEN
needs to be different for different ENCRYPT_METHOD
values? The crypt() man-page says that MD5 encryption
uses all 22 bytes of the key, SHA-256 uses 43, and SHA-512
uses 86.
--Mike