Re: Debian secure by default?

[Mike Bird <mgb-debian@yosemite.net>]

On Sat May 17 2008 09:34:21 Sven Joachim wrote:
> On 2008-05-17 17:35 +0200, Digby Tarvin wrote:
> > One thing that I find rather hard to justify is that even on an Etch
> > system installed from scratch just a few weeks ago,
> > /etc/pam.d/common-password has password   required   pam_unix.so nullok
> > obscure min=4 max=8 md5 so I can be confidently entering my 200 character
> > uber password thinking that it is hacker proof, when all the time debian
> > is truncating it to eight characters... :-/
>
> Good catch.  If you're the sysadmin, you should change that.  If not,
> convince him to do it.

max= was never intended to limit password lengths and, certainly in Etch
and Lenny, does not do so.  I haven't tested earlier distros.

> > Unless you require it for backward compatability (because you are
> > importing passwrds from an old (less secure) system) I don't see why you
> > would want to limit password length at all? (except, of course, to set a
> > lower limit)
>
> Apparently it is for backward-compatibility, yes.  The limit has been
> dropped in pam 0.99.7.1-5, so Lenny will come with a better default.

As of 0.99.7.1-4, pam simply ignores max=.  However max=8 will remain in
/etc/pam.d/common-password of upgraded systems (but not fresh installs)
because common-password is simply copied from /usr/share/pam on the
first install.

If you change max= with earlier versions of pam it may have unintended
consequences.

EXECUTIVE SUMMARY: max=8 is ignored, this is a non-issue, OP can use
200 character uber password with confidence.

--Mike Bird