[Novalug] Password complexity on RHEL 6.x

Paul W. Frields stickster@gmail.com
Wed Feb 15 07:47:58 EST 2012


Does the /etc/login.defs actually place requirements on complexity?  I
thought it set defaults for aging, encryption on the shadow password,
etc. but didn't really have anything to do with requirements of the
password text itself.  That's in the PAM stack others pointed out.
You can set a lot more complexity using the pam_cracklib.so module's
various parameters; look at the PAM docs for more info.

Paul

On Tue, Feb 14, 2012 at 09:53:15PM -0800, Subba Rao wrote:
> Thank you for replying.  I believe you are right on the PAM
> security, which precedes every other configuration file on RedHat.  
> Since RHEL has SELinux modules well integrated, even in single-user
> mode, the PAM configuration files are the first accessed.  If they
> are not found, then RHEL switches to the other package specific
> configuration files.    Subbarao
> 
> >________________________________
> > From: "Don E. Groves, Jr." <dgrovesjr@gmail.com>
> >To: Subba Rao <castellan2004-novalug@yahoo.com> 
> >Cc: NOVA LUG <novalug@calypso.tux.org> 
> >Sent: Monday, February 13, 2012 4:15 PM
> >Subject: Re: [Novalug] Password complexity on RHEL 6.x
> > 
> >I would say "system-auth" since it's a pam configuration file on Red Hat based systems and pam trumps.
> >
> >note: On Debian the file is named /etc/pam.d/common-auth and in
> >/etc/login.defs are comments to the fact that PAM now handles
> >certain options formally handled by it.
> >
> >Hope this was helpful.
> >
> >
> >--
> >  Don Jr
> >
> >
> >On Mon, Feb 13, 2012 at 3:35 AM, Subba Rao <castellan2004-novalug@yahoo.com> wrote:
> >
> >Hi,
> >>
> >>
> >>I have a really loaded question.  We have RHEL 6.0 (Santiago) in
> production and I am doing the STIG review for this box.  I am at the
> password complexity portion of the STIG and find that 2 important
> files implementing password complexity but they are different.
> >>
> >>
> >>They are /etc/login.defs  and /etc/pam.d/system-auth.  Both
> files have different options for implementing password complexity.  Which file
> takes precedence for  implementing password complexity?
> >>
> >>
> >>Thank you in advance for any info/help.



More information about the Novalug mailing list