Can anyone provide guidance concerning how to integrate the pam_passwdqc module with FC1 or FC2 ? I'll admit to not being a PAM expert, but I have RTFM, but still no luck. Some details:
1) pam_passwdqc can be found here: http://www.openwall.com/passwdqc/ I downloaded and installed the module - things went cleanly and the module was installed in /lib/security/pam_passwdqc.so
2) I tried modifying /etc/pam.d/system-auth to look like this (I know there is a warning about file autogeneration, but frankly, the /etc/pam.d/passwd file seems to direct all real action to this file - should I just modify the /etc/pam.d/passwd file instead??)
OLD: password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so
NEW: #password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password required /lib/security/$ISA/pam_passwdqc.so password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass md5 shadow password required /lib/security/$ISA/pam_deny.so
Please ignore possible line-wrap on "md5 shadow" lines above.
The above fails with:
[testuser@sloth testuser]$ passwd Changing password for user testuser. passwd: Authentication token manipulation error
Here is my goal. Maybe I can reach it another way entirely: I'm trying to see if I can't make FCx automatically compliant with a new Army regulation (AR25-2) which provides specific password guidance, including the number of required characters from each character set (lower case, upper-case, numbers, punctuation), password length, etc. The regulation can be found here (see section 4-12: Password control):
XML: http://docs.usapa.belvoir.army.mil/jw2/xmldemo/r25_2/cover.asp PDF: http://www.usapa.army.mil/pdffiles/r25_2.pdf
In a nutshell, the relevant parts are:
e. Generate passwords as follows —
(1) The minimum requirement is a 10-character case-sensitive password. Passwords or phrases longer than 10 characters are recommended when supported by the IS. Password expiration will be not more than 150 >days.
(2) The password will be a mix of uppercase letters, lowercase
letters, >numbers, and special characters, including at least two of each of the >four types of characters (for example, x$TloTBn2!) and can be user >generated.
(3) Enforce password policy through implementation or enhancement of native security mechanisms.
(4) Passwords will not include such references as social security numbers (SSNs), birthdays, USERIDs, names, slang, military acronyms, call signs, dictionary words, consecutive or repetitive characters, system identification, or names; neither will they be easy to guess (for example, mypassword, abcde12345).
(5) Password history configurations will prevent reutilization of the last 10 passwords when technically possible.
Any help you can offer would be appreciated.
Finally, would FC consider adding this module? I think a few distros have done this. Having an out-of-box AR25-2 compliant system would be pretty great from the Army's point of view!
Thanks! Bill
On Thu, 3 Jun 2004 09:09, William Brower wbrower@ll.mit.edu wrote:
Can anyone provide guidance concerning how to integrate the pam_passwdqc module with FC1 or FC2 ? I'll admit to not being a PAM expert, but I have RTFM, but still no luck. Some details:
- pam_passwdqc can be found here: http://www.openwall.com/passwdqc/
I downloaded and installed the module - things went cleanly and the module was installed in /lib/security/pam_passwdqc.so
Why do you believe that this is a SE Linux issue? Are you getting any AVC messages when you try to change a password?
selinux@lists.fedoraproject.org