Re: Debian secure by default?

To: debian-user@lists.debian.org
Subject: Re: Debian secure by default?
From: "Digby Tarvin" <lists2008@skaro.afraid.org>
Date: Sat, 17 May 2008 17:59:41 +0000 (GMT)
Message-id: <[🔎] 20080517175941.13560.qmail@tdc.dircon.co.uk>

On Sat, May 17, 2008 at 10:06:05AM -0700, Mike Bird wrote:
> On Sat May 17 2008 09:34:21 Sven Joachim wrote:
> > On 2008-05-17 17:35 +0200, Digby Tarvin wrote:
> > > One thing that I find rather hard to justify is that even on an Etch
> > > system installed from scratch just a few weeks ago,
> > > /etc/pam.d/common-password has password   required   pam_unix.so nullok
> > > obscure min=4 max=8 md5 so I can be confidently entering my 200 character
> > > uber password thinking that it is hacker proof, when all the time debian
> > > is truncating it to eight characters... :-/
> >
> > Good catch.  If you're the sysadmin, you should change that.  If not,
> > convince him to do it.
>
> max= was never intended to limit password lengths and, certainly in Etch
> and Lenny, does not do so.  I haven't tested earlier distros.
>
> > > Unless you require it for backward compatability (because you are
> > > importing passwrds from an old (less secure) system) I don't see why you
> > > would want to limit password length at all? (except, of course, to set a
> > > lower limit)
> >
> > Apparently it is for backward-compatibility, yes.  The limit has been
> > dropped in pam 0.99.7.1-5, so Lenny will come with a better default.
>
> As of 0.99.7.1-4, pam simply ignores max=.  However max=8 will remain in
> /etc/pam.d/common-password of upgraded systems (but not fresh installs)
> because common-password is simply copied from /usr/share/pam on the
> first install.
>
> If you change max= with earlier versions of pam it may have unintended
> consequences.
>
> EXECUTIVE SUMMARY: max=8 is ignored, this is a non-issue, OP can use
> 200 character uber password with confidence.
>
> --Mike Bird

Good to hear, although my Etch system (freshly upgraded) reports:
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name             Version          Description
+++-================-================-================================================
ii  libpam-modules   0.79-5           Pluggable Authentication Modules for PAM
ii  libpam-runtime   0.79-5           Runtime support for the PAM library
ii  libpam0g         0.79-5           Pluggable Authentication Modules library

and the docs at
 http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-auth-pam
say
 "Now edit /etc/pam.d/passwd and change the first line. You should add
  the option "md5" to use MD5 passwords, change the minimum length of 
  password from 4 to 6 (or more) and set a maximum length, if you desire."

So the situation doesn't seem as clear as it might be. But a quick test does
seem to indicate that I am getting more password length than the
max keyword setting would indicate - even with 0.79-5.

Regards,
DigbyT

Reply to:

Follow-Ups:
- Re: Debian secure by default?
  - From: Mike Bird <mgb-debian@yosemite.net>

Prev by Date: printing setup
Next by Date: Re: bits/news from the users of Debian?Re: bits/news from the users of Debian?
Previous by thread: Re: Debian secure by default?
Next by thread: Re: Debian secure by default?
Index(es):
- Date
- Thread