[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing debian howto



Amaya, mar20011113@16:04:45(+0100):
>
>David Serrano dijo:
>>      Si no me explico avisadme que me extiendo más :^).
>
>Avisado quedas :-)

         En el documento pone:

--
The first thing I like to do, is to add MD5 support to PAM applications,
since this helps protects against dictionary cracks. The following two
lines should be added to all files in /etc/pam.d/ that grant access to
the machine, like login and ssh.

# Be sure to install libpam-cracklib first or you will not be able to log in
password   required     pam_cracklib.so retry=3 minlen=12 difok=3
password   required     pam_unix.so use_authtok nullok md5
--

         Parte de mi /etc/pam.d/login:

--
# The standard Unix authentication modules, used with NIS (man nsswitch) as
# well as normal /etc/passwd and /etc/shadow entries. For the login service,
# this is only used when the password expires and must be changed, so make
# sure this one and the one in /etc/pam.d/passwd are the same. The "nullok"
# option allows users to change an empty password, else empty passwords are
# treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords the same way that
# `MD5_CRYPT_ENAB' would do under login.defs).
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

#password   required   pam_unix.so nullok obscure min=4 max=8
#password   required   pam_unix.so obscure min=4 max=8

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and      <-- nótese esto
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
password required       pam_cracklib.so retry=3 minlen=10 difok=5
password required       pam_unix.so use_authtok md5
--

         Vemos que  las líneas que  el howto  recomienda ya están  en el
     /etc/pam.d/login pero comentadas. Yo  las descomenté y por supuesto
     comenté las de arriba tal como dice la frase que señalo.

         Hasta aquí  todo bien. Mi /etc/pam.d/password  es prácticamente
     igual al  cacho que pegué aquí  del /etc/pam.d/login así que  no lo
     voy a repetir aquí abajo. Peeeeero, citando del howto:

--
Now edit /etc/pam.d/passwd and change the first line. You should add the
option "md5" to use MD5 passwords, change the minimum length of
password from 4 to 6 (or more) and set a maximum length, if you desire.
The resulting line will look something like:

password   required   pam_unix.so nullok obscure min=6 max=11 md5
--

         Coñe, ¿cómo  que "change the  first line"? Esa tiene  que estar
     comentada ¿no? Esto es lo que no entiendo. ¿Me explico ahora? :^).


-- 
 David Serrano <cyberchat2000.com@hue> - Linux Registered User #87069



Reply to: