Re: logging password changes
On Mon, Apr 03, 2000 at 08:35:13PM +0000, Jim Breton wrote:
> On Mon, Apr 03, 2000 at 01:31:34PM -0400, Ben Collins wrote:
> > Install libpam-doc, which is more up-to-date and probably more complete
> > than the above address. Adding session to the passwd pam.d file doesn't
> > seem like the right solution. The PAM library itself should log when the
> > authentication tokens are updated or changed.
> OK I looked at the stuff in libpam-doc but it turns out to be the same
> date as the documents on the URL I mentioned.
> I did mess with this some more and I got it to work the way I want by
> substituting the pam_pwdb module:
> password required pam_cracklib.so retry=3 minlen=6 difok=4
> password required pam_pwdb.so use_authtok md5
> Is there any chance of making this the default (assuming I didn't just
> open up any gaping security holes)? I notice that pam_pwdb is part of a
> different package which may make this difficult.
> Or, maybe better syslog support can be added to the pam_unix module?
The latter would be the better choice. PWDB is not used by default in
Debian because of it's complexities, lack of conforming to standards, and
generally because it is not very good.
I've filed this as a bug against libpam-modules so that it can be fixed
for potato before release.
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` email@example.com -- firstname.lastname@example.org -- email@example.com '