Context Navigation

-              r914049f6
+              r47274444
 # End /etc/pam.d/other</literal></screen>
+      <para>Now set up some generic files.  As root:</para>
+      <para>
+        Now set up some generic files.  As root:
+      </para>
 <screen role="root"><userinput>install -vdm755 /etc/pam.d &amp;&amp;
 …
 EOF</userinput></screen>
+    <para>The remaining generic file depends on whether <xref linkend="cracklib"/>
+    is installed.  If it is installed, use:</para>
+      <para>
+        The remaining generic file depends on whether <xref
+        linkend="cracklib"/> is installed.  If it is installed, use:
+      </para>
 <screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
 …
 EOF</userinput></screen>
+        <note>
+          <para>
+            In its default configuration, pam_cracklib will
+            allow multiple case passwords as short as 6 characters, even with
+            the <parameter>minlen</parameter> value set to 11. You should review
+            the pam_cracklib(8) man page and determine if these default values
+            are acceptable for the security of your system.
+          </para>
+        </note>
+   <para>If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
+   use:</para>
+      <note>
+        <para>
+          In its default configuration, pam_cracklib will
+          allow multiple case passwords as short as 6 characters, even with
+          the <parameter>minlen</parameter> value set to 11. You should review
+          the pam_cracklib(8) man page and determine if these default values
+          are acceptable for the security of your system.
+        </para>
+      </note>
+      <para>
+        If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
+        use:
+      </para>
 <screen role="nodump"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
 …
 EOF</userinput></screen>
+      <para>Now add a restrictive <filename>/etc/pam.d/other</filename>
+      configuration file.  With this file, programs that are PAM aware will not
+      run unless a configuration file specifically for that application is
+      created.</para>
+      <para>
+        Now add a restrictive <filename>/etc/pam.d/other</filename>
+        configuration file.  With this file, programs that are PAM aware will
+        not run unless a configuration file specifically for that application
+        is created.
+      </para>
 <screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
 …
         The <application>PAM</application> man page (<command>man
         pam</command>) provides a good starting point for descriptions
+        of fields and allowable entries. The <ulink
+        url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">Linux-PAM
+        System Administrators' Guide</ulink> is recommended for additional
+        information.
+      </para>
+<!-- No longer there
+      <para>
+        Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list
+        of various third-party modules available.
+      </para>
+-->
+        of fields and allowable entries. The
+        <ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
+          Linux-PAM System Administrators' Guide
+        </ulink> is recommended for additional information.
+      </para>
       <important>
         <para>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 47274444 for postlfs/security/linux-pam.xml

Legend:

postlfs/security/linux-pam.xml

Download in other formats: