Re: Debian secure by default?

To: debian-user@lists.debian.org
Subject: Re: Debian secure by default?
From: Sven Joachim <svenjoac@gmx.de>
Date: Sat, 17 May 2008 18:34:21 +0200
Message-id: <[🔎] 87ve1czy7m.fsf@gmx.de>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20080517153534.6379.qmail@tdc.dircon.co.uk> (Digby Tarvin's message of "Sat, 17 May 2008 15:35:33 +0000 (GMT)")
References: <[🔎] 20080517153534.6379.qmail@tdc.dircon.co.uk>

On 2008-05-17 17:35 +0200, Digby Tarvin wrote:

> One thing that I find rather hard to justify is that even on an Etch system
> installed from scratch just a few weeks ago, /etc/pam.d/common-password has
>   password   required   pam_unix.so nullok obscure min=4 max=8 md5
> so I can be confidently entering my 200 character uber password thinking
> that it is hacker proof, when all the time debian is truncating it to
> eight characters... :-/

Good catch.  If you're the sysadmin, you should change that.  If not,
convince him to do it.

> Unless you require it for backward compatability (because you are importing
> passwrds from an old (less secure) system) I don't see why you would want
> to limit password length at all? (except, of course, to set a lower limit)

Apparently it is for backward-compatibility, yes.  The limit has been
dropped in pam 0.99.7.1-5, so Lenny will come with a better default.

Sven

Reply to:

Follow-Ups:
- Re: Debian secure by default?
  - From: Mike Bird <mgb-debian@yosemite.net>

References:
- Re: Debian secure by default?
  - From: "Digby Tarvin" <lists2008@skaro.afraid.org>

Prev by Date: Re: sandisk mp3 player mount
Next by Date: Re: sandisk mp3 player mount
Previous by thread: Re: Debian secure by default?
Next by thread: Re: Debian secure by default?
Index(es):
- Date
- Thread