r6834 - in trunk/BOOK: introduction/welcome postlfs/security

dj at linuxfromscratch.org dj at linuxfromscratch.org
Wed Jul 4 10:46:39 PDT 2007


Author: dj
Date: 2007-07-04 11:46:38 -0600 (Wed, 04 Jul 2007)
New Revision: 6834

Modified:
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/postlfs/security/shadow.xml
Log:
Set pam_cracklib to defaults and added security note.

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml	2007-07-04 11:44:25 UTC (rev 6833)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2007-07-04 17:46:38 UTC (rev 6834)
@@ -47,6 +47,10 @@
         <listitem>
           <para>[randy] - Updated to libxlst-1.1.21.</para>
         </listitem>
+        <listitem>
+          <para>[dj] - Modified Linux-PAM configuration to use cracklib
+          defaults.</para>
+        </listitem>
       </itemizedlist>
     </listitem>
 

Modified: trunk/BOOK/postlfs/security/shadow.xml
===================================================================
--- trunk/BOOK/postlfs/security/shadow.xml	2007-07-04 11:44:25 UTC (rev 6833)
+++ trunk/BOOK/postlfs/security/shadow.xml	2007-07-04 17:46:38 UTC (rev 6834)
@@ -358,9 +358,7 @@
 session     optional       pam_mail.so      dir=/var/mail standard
 session     optional       pam_lastlog.so
 session     required       pam_unix.so
-password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
-                                            dcredit=3 ocredit=3 \
-                                            ucredit=2 lcredit=2
+password    required       pam_cracklib.so  retry=3 
 password    required       pam_unix.so      md5 shadow use_authtok
 
 # End /etc/pam.d/login</literal>
@@ -398,14 +396,23 @@
 <screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
 <literal># Begin /etc/pam.d/passwd
 
-password    required       pam_cracklib.so  retry=3 difok=8 minlen=5 \
-                                            dcredit=3  ocredit=3 \
-                                            ucredit=2  lcredit=2
+password    required       pam_cracklib.so  type=Linux retry=1 \
+                                            difok=5 diffignore=23 minlen=9 \
+                                            dcredit=1 ucredit=1 lcredit=1 \
+                                            ocredit=1 \
+                                            dictpath=/lib/cracklib/pw_dict 
 password    required       pam_unix.so      md5 shadow use_authtok
 
 # End /etc/pam.d/passwd</literal>
 EOF</userinput></screen>
 
+        <note><para>In its default configuration, owing to credits,
+        pam_cracklib will allow multiple case passwords as short as 6
+        characters, even with the <parameter>minlen</parameter> value
+        set to 11.  You should review the pam_cracklib(8) man page and
+        determine if these default values are acceptable for the security
+        of your system.</para></note>
+
       </sect4>
 
       <sect4>




More information about the blfs-book mailing list