password control? - Security

This is a discussion on password control? - Security ; Where might I find docs on howto configure user account passwords to support a format of x number of digits, x number of symbols, with length x, etc...?...

+ Reply to Thread
Results 1 to 5 of 5

Thread: password control?

  1. password control?

    Where might I find docs on howto configure user account passwords to
    support a format of x number of digits, x number of symbols, with
    length x, etc...?



  2. Re: password control?

    On 12 Aug, 06:05, Bill Marcum wrote:
    > On Thu, 9 Aug 2007 22:12:08 -0500, Ender wrote:
    >
    > > Where might I find docs on howto configure user account passwords to
    > > support a format of x number of digits, x number of symbols, with
    > > length x, etc...?

    >
    > libpam-doc, specifically the cracklib module.


    The location of the documentation depends on your Linux distribution.
    libpam-doc seems to be a Debian-ism. Under RedHat, it's in /usr/share/
    docs, or for tools whose authors wrote man pages, it's in the man
    pages. For tools whose authors use the standard texinfo format, it's
    in /usr/share/info. Etc., etc., tec.

    Debian does seem to be good about having such documentation in a
    separate package with a sensible name.

    Many distributions also have a system configuration tool specific to
    their distribution to manipulate such system settings, some good, some
    awful. And configuring additional shared password structures, like
    Kerberos and LDAPnad Winbind, means those systems have their *own*
    configuration settings.

    Perhaps you could share a few more details about your setup? Your OS,
    and whether you need Kerberos or LDAP or Winbind or NIS?


  3. Re: password control?

    >
    >
    > Perhaps you could share a few more details about your setup? Your OS,
    > and whether you need Kerberos or LDAP or Winbind or NIS?


    Well, my systems are gentoo, and I've had problems with cracklib in the
    past, couldn't change passwords (don't remember the error, but wouldn't
    be too hard to dig it back up), so I've have to revert back to pam. And
    I'd like to get LDAP going (learn it first) so that my users can run
    the same account passwd's across all our machines.


  4. Re: password control?

    Ender coughed up some electrons that declared:

    >>
    >>
    >> Perhaps you could share a few more details about your setup? Your OS,
    >> and whether you need Kerberos or LDAP or Winbind or NIS?

    >
    > Well, my systems are gentoo, and I've had problems with cracklib in the
    > past, couldn't change passwords (don't remember the error, but wouldn't
    > be too hard to dig it back up), so I've have to revert back to pam. And
    > I'd like to get LDAP going (learn it first) so that my users can run
    > the same account passwd's across all our machines.


    If you just want to have common passwords, kerberos is a better option IMO.
    Although it looks like a black art, it is actually not that hard to
    configure a server. It also has the reputation of being extremely secure.

    Many linux distributions have the required packages, including pam_krb5.

    This assumes that you have another way to update the basic account
    information (eg NIS, LDAP or scripts to manage /etc/passwd and /etc/group).

    The *big* improvement with kerberos is the way that root logins are handled.

    Everyone who needs root access has to log in as themselves (in the normal
    model, you can subvert this with PAM trickery), then ksu to root using
    their own root principle password. Secondly, they also have to be listed
    in /root/.k5login which gives a wonderful level of control about who logs
    in where and avoids having to have the big book of root passwords.

    If that sounds appealing, I'll see if I can dig out a suitable HOWTO.

    Cheers

    Tim

  5. Re: password control?

    > passwords.
    >
    > If that sounds appealing, I'll see if I can dig out a suitable HOWTO.



    Thanks, your advice has been more than helpful and I can dig the rest
    up. I think I will go that route.

    Much appreciated.


+ Reply to Thread