Re: [owl-users] pam_passwdqc and history

From: Solar Designer (solar@private)
Date: Sat Jun 23 2007 - 20:59:12 PDT


On Sat, Jun 23, 2007 at 08:22:19PM -0600, Vincent Danen wrote:
> Of course, that doesn't stop legislaters from specifying they want or
> need something like this, so if something like this were to make it's
> way into pam_passwdqc (as, from my understanding, pam_cracklib is what
> would be doing this, not pam_unix), I think it might make it more
> palatable to some people (with the appropriate warnings/compile-time
> disablers, etc.).

I agree, except for one thing:

Of the bundled Linux-PAM modules, pam_unix both consults and updates the
password history file, whereas pam_cracklib merely consults the file (in
fact, there's some duplicate code between pam_unix and pam_cracklib).
So I think that the password history would work with Linux-PAM's
pam_unix alone and no pam_cracklib.  You might want to give this a try.
If so, replacing pam_cracklib with pam_passwdqc will not prevent the
password history from working.  (However, replacing pam_unix with
pam_tcb will.)  This might make it easier for you to get pam_passwdqc
into Mandriva.

Neither pam_unix nor pam_cracklib are a part of Owl, so this discussion
is getting somewhat off-topic for owl-users.  The aspect that is on
topic is that wider adoption of components from Owl (such as our PAM
modules) by other distributions makes our development efforts more
worthwhile and indirectly helps Owl development.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail owl-users-unsubscribe@private and reply
to the automated confirmation request that will be sent to you.



This archive was generated by hypermail 2.1.3 : Sat Jun 23 2007 - 21:04:31 PDT