Changeset 78b5501
- Timestamp:
- 06/01/2015 05:55:07 PM (9 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 12.2, 7.10, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gimp3, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/for-12.3, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/spidermonkey128, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 74f20a1
- Parents:
- 0d12bbe
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
introduction/welcome/changelog.xml
r0d12bbe r78b5501 44 44 45 45 --> 46 47 <listitem> 48 <para>June 1st, 2015</para> 49 <itemizedlist> 50 <listitem> 51 <para>[bdubbs] - Move generic PAM configuration from shadow 52 to the PAM section.</para> 53 </listitem> 54 </itemizedlist> 55 </listitem> 46 56 47 57 <listitem> -
postlfs/security/linux-pam.xml
r0d12bbe r78b5501 270 270 271 271 # End /etc/pam.d/other</literal></screen> 272 273 <para>Now set up some generic files. As root:</para> 274 275 <screen role="root"><userinput>cat > /etc/pam.d/system-account << "EOF" 276 <literal># Begin /etc/pam.d/system-account 277 278 account required pam_unix.so 279 280 # End /etc/pam.d/system-account</literal> 281 EOF 282 283 cat > /etc/pam.d/system-auth << "EOF" 284 <literal># Begin /etc/pam.d/system-auth 285 286 auth required pam_unix.so 287 288 # End /etc/pam.d/system-auth</literal> 289 EOF 290 291 cat > /etc/pam.d/system-session << "EOF" 292 <literal># Begin /etc/pam.d/system-session 293 294 session required pam_unix.so 295 296 # End /etc/pam.d/system-session</literal> 297 EOF</userinput></screen> 298 299 <para>The remaining generic file depends on wheather <xref linkend="cracklib"/> 300 is installed. If it is installed, use:</para> 301 302 <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF" 303 <literal># Begin /etc/pam.d/system-password 304 305 # check new passwords for strength (man pam_cracklib) 306 password required pam_cracklib.so type=Linux retry=3 difok=5 \ 307 difignore=23 minlen=9 dcredit=1 \ 308 ucredit=1 lcredit=1 ocredit=1 \ 309 dictpath=/lib/cracklib/pw_dict 310 # use sha512 hash for encryption, use shadow, and use the 311 # authentication token (chosen password) set by pam_cracklib 312 # above (or any previous modules) 313 password required pam_unix.so sha512 shadow use_authtok 314 315 # End /etc/pam.d/system-password</literal> 316 EOF</userinput></screen> 317 318 <note> 319 <para> 320 In its default configuration, pam_cracklib will 321 allow multiple case passwords as short as 6 characters, even with 322 the <parameter>minlen</parameter> value set to 11. You should review 323 the pam_cracklib(8) man page and determine if these default values 324 are acceptable for the security of your system. 325 </para> 326 </note> 327 328 <para>If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed, 329 use:</para> 330 331 <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF" 332 <literal># Begin /etc/pam.d/system-password 333 334 # use sha512 hash for encryption, use shadow, and try to use any previously 335 # defined authentication token (chosen password) set by any prior module 336 password required pam_unix.so sha512 shadow try_first_pass 337 338 # End /etc/pam.d/system-password</literal> 339 EOF</userinput></screen> 272 340 273 341 <para> -
postlfs/security/shadow.xml
r0d12bbe r78b5501 337 337 338 338 <sect4> 339 <title>'system-account'</title>340 341 <screen role="root"><userinput>cat > /etc/pam.d/system-account << "EOF"342 <literal># Begin /etc/pam.d/system-account343 344 account required pam_unix.so345 346 # End /etc/pam.d/system-account</literal>347 EOF</userinput></screen>348 </sect4>349 350 <sect4>351 <title>'system-auth'</title>352 353 <screen role="root"><userinput>cat > /etc/pam.d/system-auth << "EOF"354 <literal># Begin /etc/pam.d/system-auth355 356 auth required pam_unix.so357 358 # End /etc/pam.d/system-auth</literal>359 EOF</userinput></screen>360 </sect4>361 362 <sect4>363 <title>'system-passwd' (with cracklib)</title>364 365 <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"366 <literal># Begin /etc/pam.d/system-password367 368 # check new passwords for strength (man pam_cracklib)369 password required pam_cracklib.so type=Linux retry=3 difok=5 \370 difignore=23 minlen=9 dcredit=1 \371 ucredit=1 lcredit=1 ocredit=1 \372 dictpath=/lib/cracklib/pw_dict373 # use sha512 hash for encryption, use shadow, and use the374 # authentication token (chosen password) set by pam_cracklib375 # above (or any previous modules)376 password required pam_unix.so sha512 shadow use_authtok377 378 # End /etc/pam.d/system-password</literal>379 EOF</userinput></screen>380 381 <note>382 <para>383 In its default configuration, owing to credits, pam_cracklib will384 allow multiple case passwords as short as 6 characters, even with385 the <parameter>minlen</parameter> value set to 11. You should review386 the pam_cracklib(8) man page and determine if these default values387 are acceptable for the security of your system.388 </para>389 </note>390 </sect4>391 392 <sect4>393 <title>'system-passwd' (without cracklib)</title>394 395 <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"396 <literal># Begin /etc/pam.d/system-password397 398 # use sha512 hash for encryption, use shadow, and try to use any previously399 # defined authentication token (chosen password) set by any prior module400 password required pam_unix.so sha512 shadow try_first_pass401 402 # End /etc/pam.d/system-password</literal>403 EOF</userinput></screen>404 </sect4>405 406 <sect4>407 <title>'system-session'</title>408 409 <screen role="root"><userinput>cat > /etc/pam.d/system-session << "EOF"410 <literal># Begin /etc/pam.d/system-session411 412 session required pam_unix.so413 414 # End /etc/pam.d/system-session</literal>415 EOF</userinput></screen>416 </sect4>417 418 <sect4>419 339 <title>'login'</title> 420 340
Note:
See TracChangeset
for help on using the changeset viewer.