[27032] in bugtraq
Re: Password Security Policy Question
daemon@ATHENA.MIT.EDU (Nick Lamb)
Fri Sep 13 14:55:11 2002
Date: Fri, 13 Sep 2002 02:12:23 +0100
From: Nick Lamb <njl98r@ecs.soton.ac.uk>
To: "Greg A. Woods" <woods@weird.com>
Message-ID: <20020913021223.A25622@ecs.soton.ac.uk>
Mail-Followup-To: "Greg A. Woods" <woods@weird.com>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z"
Content-Disposition: inline
In-Reply-To: <20020911010757.4B19FAC@proven.weird.com>; from woods@weird.com on Tue, Sep 10, 2002 at 09:07:57PM -0400
--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Tue, Sep 10, 2002 at 09:07:57PM -0400, Greg A. Woods wrote:
> I'm still amazed that nothing has been done with my submitted patches
> since, not in NetBSD nor in any of the other free unix systems so far as
> I know.
The default settings in modern Red Hat and Red Hat-like systems do use
Cracklib to prevent users from choosing very low quality passwords.
The autogenerated PAM configuration on my Red Hat 7.3 system says...
password required /lib/security/pam_cracklib.so retry=3
Sure enough I can't change my password to 'guess' or 'password' or
'01234567' using either the GUI or the passwd program. It's not as
friendly as Mozilla's "password goodness meter" but it will suffice.
Apparently there are moves afoot to replace or augment Cracklib with
Solar Designer's pam_passwdqc in some future version of Red Hat Linux.
Nick.
--7AUc2qLy4jB3hD7Z
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9gTt2JL0BVnQb59gRAi0SAKCvBeKs3y+9dcd8AUm6tAi19WN6dQCgncku
dm/+5A0Uue4UTo+c3NpSQWk=
=xO64
-----END PGP SIGNATURE-----
--7AUc2qLy4jB3hD7Z--
