[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PAM Re: New ssh?

Wichert Akkerman <wichert@cs.leidenuniv.nl> writes:

> Previously Martin Schulze wrote:
> > Can somebody explain to me why why ssh depends on libpam-cracklib
> > depends on cracklib2 depends on cracklib-runtime?  I didn't plan
> > to install cracklib on that machine but I would like to make the
> > people use ssh instead of other protocols.

> The new ssh packages uses PAM to changed expired passwords looking
> at the patch, and it kind of makes sense to use a module that 
> encourages using safe passwords.

This can be tweaked in the /etc/pam.d/ssh.  Turning on cracklib by
default forces people to install all of the cracklib stuff, even if
they later decide to disable it.  Maybe the cracklib line should be
commented out by default and the dependency removed from the package?

This should probably be discussed.

Also, have we decided whether to go with the pwdb modules or the
auth_unix by default?  (pwdb requires yet another configuration file
be changed before nis starts working again, and I'm not sure if it
does "compat" or not.  Do both pwdb and the *_unix modules handle
shadow correctly?)

We really should move on PAM sometime soon, if it were official that
PAM support is being used in the next release, we could start filing
bug reports against packages that don't use PAM.  (Last I checked,
login, passwd, xdm, ftpd, telnetd, rshd, and rlogind needed patches.)


Reply to: