[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: enforcing strong passwords

also sprach Phillip Hofmeister <plhofmei@svsu.edu> [2002.01.18.1951 +0100]:
> I am not quite sure why you would want root's attempts to fail.  root
> (I assume you) should know a good password from a bad one when you set
> it.  The system will generally warn you that the passwd that you are
> setting is lousy but will let you set it if you insist (Just the way
> it should be).  When I am logged in as root I don't want my system
> second guessing anything I do (even if that thing is rm -rf /).

a valid thought, and no, i don't want to prevent the change in regular
mode, but the program i am working on is not run by root. it is UID
root, so it is capable, but it actually is used by a user.

anyway, i am reworking my strategy, also in terms of security issues.
i'll get the current user credentials from the user, then drop root
privileges and become that user, then authenticate to check the current
credentials, and then communicate with PAM as that user to change the
password. (this is a rewrite of poppassd, with security in mind...).

do you know an answer to this though:

> libpam-cracklib is nice, but how do i get PAM to enforce at least one
> upper case letter, and at least on of {symbol,digit}?

and are there *good* mailing lists for linux system programming, and PAM?
i want one of a standard like debian-security, not a 30000 subscriber
list with more morons than the german and us government combined.

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"i believe that the moment is near when by a procedure
 of active paranoiac thought, it will be possible
 to systematize confusion and contribute to
 the total discrediting of the world of reality."
                                                      -- salvador dali

Attachment: pgpU1PNus2p1N.pgp
Description: PGP signature

Reply to: