Where might I find docs on howto configure user account passwords to support a format of x number of digits, x number of symbols, with length x, etc...?
Les réponses au message de Ender (ender@gmail.com)
On Thu, 9 Aug 2007 22:12:08 -0500, Ender wrote: > Where might I find docs on howto configure user account passwords to > support a format of x number of digits, x number of symbols, with > length x, etc...? libpam-doc, specifically the cracklib module.
-- The University of California Statistics Department; where mean is normal, and deviation standard.
On 12 Aug, 06:05, Bill Marcum wrote: > On Thu, 9 Aug 2007 22:12:08 -0500, Ender wrote: > > Where might I find docs on howto configure user account passwords to > > support a format of x number of digits, x number of symbols, with > > length x, etc...? > libpam-doc, specifically the cracklib module.
The location of the documentation depends on your Linux distribution. libpam-doc seems to be a Debian-ism. Under RedHat, it's in /usr/share/ docs, or for tools whose authors wrote man pages, it's in the man pages. For tools whose authors use the standard texinfo format, it's in /usr/share/info. Etc., etc., tec.
Debian does seem to be good about having such documentation in a separate package with a sensible name.
Many distributions also have a system configuration tool specific to their distribution to manipulate such system settings, some good, some awful. And configuring additional shared password structures, like Kerberos and LDAPnad Winbind, means those systems have their *own* configuration settings.
Perhaps you could share a few more details about your setup? Your OS, and whether you need Kerberos or LDAP or Winbind or NIS?
> Perhaps you could share a few more details about your setup? Your OS, > and whether you need Kerberos or LDAP or Winbind or NIS?
Well, my systems are gentoo, and I've had problems with cracklib in the past, couldn't change passwords (don't remember the error, but wouldn't be too hard to dig it back up), so I've have to revert back to pam. And I'd like to get LDAP going (learn it first) so that my users can run the same account passwd's across all our machines.
>>>> Perhaps you could share a few more details about your setup? Your OS, >> and whether you need Kerberos or LDAP or Winbind or NIS? > Well, my systems are gentoo, and I've had problems with cracklib in the > past, couldn't change passwords (don't remember the error, but wouldn't > be too hard to dig it back up), so I've have to revert back to pam. And > I'd like to get LDAP going (learn it first) so that my users can run > the same account passwd's across all our machines.
If you just want to have common passwords, kerberos is a better option IMO. Although it looks like a black art, it is actually not that hard to configure a server. It also has the reputation of being extremely secure.
Many linux distributions have the required packages, including pam_krb5.
This assumes that you have another way to update the basic account information (eg NIS, LDAP or scripts to manage /etc/passwd and /etc/group).
The *big* improvement with kerberos is the way that root logins are handled.
Everyone who needs root access has to log in as themselves (in the normal model, you can subvert this with PAM trickery), then ksu to root using their own root principle password. Secondly, they also have to be listed in /root/.k5login which gives a wonderful level of control about who logs in where and avoids having to have the big book of root passwords.
If that sounds appealing, I'll see if I can dig out a suitable HOWTO.
Message de Bill Marcum (marcumbill@bellsouth.net) (12 Aout 2007)
