Re: Securing debian howto
Amaya, mar20011113@16:04:45(+0100):
>
>David Serrano dijo:
>> Si no me explico avisadme que me extiendo más :^).
>
>Avisado quedas :-)
En el documento pone:
--
The first thing I like to do, is to add MD5 support to PAM applications,
since this helps protects against dictionary cracks. The following two
lines should be added to all files in /etc/pam.d/ that grant access to
the machine, like login and ssh.
# Be sure to install libpam-cracklib first or you will not be able to log in
password required pam_cracklib.so retry=3 minlen=12 difok=3
password required pam_unix.so use_authtok nullok md5
--
Parte de mi /etc/pam.d/login:
--
# The standard Unix authentication modules, used with NIS (man nsswitch) as
# well as normal /etc/passwd and /etc/shadow entries. For the login service,
# this is only used when the password expires and must be changed, so make
# sure this one and the one in /etc/pam.d/passwd are the same. The "nullok"
# option allows users to change an empty password, else empty passwords are
# treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords the same way that
# `MD5_CRYPT_ENAB' would do under login.defs).
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
#password required pam_unix.so nullok obscure min=4 max=8
#password required pam_unix.so obscure min=4 max=8
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and <-- nótese esto
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
password required pam_cracklib.so retry=3 minlen=10 difok=5
password required pam_unix.so use_authtok md5
--
Vemos que las líneas que el howto recomienda ya están en el
/etc/pam.d/login pero comentadas. Yo las descomenté y por supuesto
comenté las de arriba tal como dice la frase que señalo.
Hasta aquí todo bien. Mi /etc/pam.d/password es prácticamente
igual al cacho que pegué aquí del /etc/pam.d/login así que no lo
voy a repetir aquí abajo. Peeeeero, citando del howto:
--
Now edit /etc/pam.d/passwd and change the first line. You should add the
option "md5" to use MD5 passwords, change the minimum length of
password from 4 to 6 (or more) and set a maximum length, if you desire.
The resulting line will look something like:
password required pam_unix.so nullok obscure min=6 max=11 md5
--
Coñe, ¿cómo que "change the first line"? Esa tiene que estar
comentada ¿no? Esto es lo que no entiendo. ¿Me explico ahora? :^).
--
David Serrano <cyberchat2000.com@hue> - Linux Registered User #87069
Reply to: