[Novalug] Password complexity on RHEL 6.x

jecottrell3@comcast.net jecottrell3@comcast.net
Wed Feb 15 11:53:18 EST 2012


Who even looks at that file anyway?

I always just use authconfig and let it rewrite the files it needs to.

JIM

----- Original Message -----
From: "Jon LaBadie" <novalugml@jgcomp.com>
To: novalug@calypso.tux.org
Sent: Wednesday, February 15, 2012 11:45:51 AM
Subject: Re: [Novalug] Password complexity on RHEL 6.x

On Wed, Feb 15, 2012 at 07:47:58AM -0500, Paul W. Frields wrote:
> Does the /etc/login.defs actually place requirements on complexity?  I
> thought it set defaults for aging, encryption on the shadow password,
> etc. but didn't really have anything to do with requirements of the
> password text itself.  That's in the PAM stack others pointed out.
> You can set a lot more complexity using the pam_cracklib.so module's
> various parameters; look at the PAM docs for more info.
> 

/etc/login.defs can contain a boolean "OBSCURE_CHECKS_ENAB" which
can enable the passwd(1) command to enable additional checks upon
password changes.  Other than a mention in login.defs(5) I don't
know of other descriptions of the possible checks.

Jon

> 
> On Tue, Feb 14, 2012 at 09:53:15PM -0800, Subba Rao wrote:
> > Thank you for replying.? I believe you are right on the PAM
> > security, which precedes every other configuration file on RedHat.??
> > Since RHEL has SELinux modules well integrated, even in single-user
> > mode, the PAM configuration files are the first accessed.? If they
> > are not found, then RHEL switches to the other package specific
> > configuration files. ?  Subbarao
> > 
> > >________________________________
> > > From: "Don E. Groves, Jr." <dgrovesjr@gmail.com>
> > >To: Subba Rao <castellan2004-novalug@yahoo.com> 
> > >Cc: NOVA LUG <novalug@calypso.tux.org> 
> > >Sent: Monday, February 13, 2012 4:15 PM
> > >Subject: Re: [Novalug] Password complexity on RHEL 6.x
> > > 
> > >I would say "system-auth" since it's a pam configuration file on Red Hat based systems and pam trumps.
> > >
> > >note: On Debian the file is named /etc/pam.d/common-auth and in
> > >/etc/login.defs are comments to the fact that PAM now handles
> > >certain options formally handled by it.
> > >
> > >Hope this was helpful.
> > >
> > >
> > >--
> > >? Don Jr
> > >
> > >
> > >On Mon, Feb 13, 2012 at 3:35 AM, Subba Rao <castellan2004-novalug@yahoo.com> wrote:
> > >
> > >Hi,
> > >>
> > >>
> > >>I have a really loaded question.? We have RHEL 6.0 (Santiago) in
> > production and I am doing the STIG review for this box.? I am at the
> > password complexity portion of the STIG and find that 2 important
> > files implementing password complexity but they are different.
> > >>
> > >>
> > >>They are /etc/login.defs? and /etc/pam.d/system-auth.? Both
> > files have different options for implementing password complexity.? Which file
> > takes precedence for? implementing password complexity?
> > >>
> > >>
> > >>Thank you in advance for any info/help.
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
> 
>>> End of included message <<<

-- 
Jon H. LaBadie                  novalugml@jgcomp.com
 11226 South Shore Rd		(703) 787-0688 (H)
 Reston, VA  20190		(609) 477-8330 (C)
_______________________________________________
Novalug mailing list
Novalug@calypso.tux.org
http://calypso.tux.org/mailman/listinfo/novalug



More information about the Novalug mailing list