Re: PAM module to enable password restriction
- From: Richard.L.Hamilton@xxxxxxxxxxxxxxxxxx (Richard L. Hamilton)
- Date: Fri, 10 Nov 2006 21:20:39 -0600
In article <1163174804.888964.327530@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
"Hugh" <hughjanus007@xxxxxxxxxxx> writes:
Hi,
Is there an existing PAM module that I can integrate in my Solaris 10
environment that does NOT allow passwords to:
1.) contain sequences of three (3) or more characters from the user's
login ID or the system name.
2.) contain a sequence of two (2) or more characters more than once,
for example, qwe123abc.
Thanks.
I don't know of one that does exactly those checks; pam_authtok_check(5)
does some other checks, see
http://docs.sun.com/app/docs/doc/816-5175/6mbba7f2j?a=view
You might try:
* describing to whoever dreamed up those checks what pam_authtok_check(5)
already does; see if they can't live with that instead (some of the
folks who dream these things up can be persuaded to live with
off-the-shelf if they understand it costs time or money and not merely
setting configuration options to get what they specify)
* looking at the code for the existing module (well, newer probably,
but hopefully not incompatible) at
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/pam_modules/authtok_check/
in case you want to write your own
It really gets tiresome to have every different place dream up its own
password strength checks (and expect the software to enforce them).
And if one wants to implement some sort of single-sign-on but each
participating OS prior to that has its own checks, what then? Even
if the single-sign-on will keep that from breaking, the change will seriously
confuse the users, and generate a lot more help desk calls (of which
entirely too many already are probably about trouble with passwords).
Either those who specify this stuff should specify best-effort with
off-the-shelf software (which would however have different behavior for
each platform, with the aforementioned wetware issues), or should specify
(and fund) some add-on available for all applicable platforms that they
like, or some standard should exist for password strength tests (is there
one?), which everybody should just reference, and every platform should
implement.
Did they get those checks from prior experience with some other OS? It
almost sounds like it, and a bad habit it is too to build specifications
based on the behavior of a particular product; gives the appearance of
stacking the deck.
--
mailto:rlhamil@xxxxxxxxx http://www.smart.net/~rlhamil
Lasik/PRK theme music:
"In the Hall of the Mountain King", from "Peer Gynt"
.
- References:
- PAM module to enable password restriction
- From: Hugh
- PAM module to enable password restriction
- Prev by Date: Re: ipnat ? Can not connect to 80 port under private address.
- Next by Date: Re: broken SSH ld.so.1: ssh: fatal: libgss.so.1: open failed: No such file or directory
- Previous by thread: PAM module to enable password restriction
- Next by thread: Help with Solaris DHCP client, please.
- Index(es):
Relevant Pages
|
