also sprach Phillip Hofmeister <plhofmei@svsu.edu> [2002.01.18.1951 +0100]:
> I am not quite sure why you would want root's attempts to fail. root
> (I assume you) should know a good password from a bad one when you set
> it. The system will generally warn you that the passwd that you are
> setting is lousy but will let you set it if you insist (Just the way
> it should be). When I am logged in as root I don't want my system
> second guessing anything I do (even if that thing is rm -rf /).
a valid thought, and no, i don't want to prevent the change in regular
mode, but the program i am working on is not run by root. it is UID
root, so it is capable, but it actually is used by a user.
anyway, i am reworking my strategy, also in terms of security issues.
i'll get the current user credentials from the user, then drop root
privileges and become that user, then authenticate to check the current
credentials, and then communicate with PAM as that user to change the
password. (this is a rewrite of poppassd, with security in mind...).
do you know an answer to this though:
> libpam-cracklib is nice, but how do i get PAM to enforce at least one
> upper case letter, and at least on of {symbol,digit}?
and are there *good* mailing lists for linux system programming, and PAM?
i want one of a standard like debian-security, not a 30000 subscriber
list with more morons than the german and us government combined.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"i believe that the moment is near when by a procedure
of active paranoiac thought, it will be possible
to systematize confusion and contribute to
the total discrediting of the world of reality."
-- salvador dali
Attachment:
pgpU1PNus2p1N.pgp
Description: PGP signature