securing debian, pam

[gcrimp@vcn.bc.ca]

Hi,

I've been hardening a box (woody installation upgraded to sarge) by
following along the Securing Debian howto.

I added the following two lines (which aren't exact copies of those in the
hwoto) to /etc/pam.d/common-password:

password required pam_cracklib.so retry=3 minlength=12 difok=3
password required pam_unix.so use_authtok md5 min=12 max=128

To test this I created a new user with a 7 character password.  That was
accepted no problems, no complaints.  The new user was able to login,
similarly with no complaints about the password being too short.  Both
/etc/pam.d/login and /etc/pam.d/passwd reference /etc/pam.d/common-password
(@include common-passwd), so I would think they should have rejected this 7
character password.  Any suggestions as to what I may have not set up
properly?


I think the following should be anecdotal, but it was peculiar so maybe it
means something.  I had to install libpam-cracklib to do this.  The Securing
Debian howto said I would also need to install a wordlist such as wbritish
for cracklib to work.  Installing libpam-cracklib pulled in
cracklib-runtime, and cracklib2 but didn't require me to have a word list. 
I figured that the howto was out of date on this issue.

However, when I first tried to create this new user, passwd crapped out
with the error "Critical error - immediate abort".  A google result
suggested installing wbritish and run /etc/cron.daily/cracklib.  That
allowed me to create the new user.  End of anecdote.


Thanks,

gc