Ignore:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • postlfs/security/linux-pam.xml

    rb9567b04 rc0464a8  
    343343<literal># Begin /etc/pam.d/system-password
    344344
    345 # use sha512 hash for encryption, use shadow, and try to use any previously
    346 # defined authentication token (chosen password) set by any prior module.
    347 # Use the same number of rounds as shadow.
    348 password  required    pam_unix.so       sha512 shadow try_first_pass \
    349                                         rounds=500000
     345# use yescrypt hash for encryption, use shadow, and try to use any
     346# previously defined authentication token (chosen password) set by any
     347# prior module.
     348password  required    pam_unix.so       yescrypt shadow try_first_pass
    350349
    351350# End /etc/pam.d/system-password</literal>
     
    360359     </para>
    361360
    362 <!-- With the removal of the pam_cracklib module, we're supposed to be using
    363      libpwquality. That already includes instructions in its configuration
    364      information page, so we'll use those instead.
    365 
    366      Linux-PAM must be installed prior to libpwquality so that PAM support
    367      is built in, and the PAM module is built.
    368 -->
    369 <!-- WARNING: If for any reason the instructions below are reinstated be
    370      careful with the number of rounds, which should match the one in shadow.
    371       <para>
    372         The remaining generic file depends on whether <xref
    373         linkend="cracklib"/> is installed.  If it is installed, use:
    374       </para>
    375 
    376 <screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
    377 <literal># Begin /etc/pam.d/system-password
    378 
    379 # check new passwords for strength (man pam_cracklib)
    380 password  required    pam_cracklib.so    authtok_type=UNIX retry=1 difok=5 \
    381                                          minlen=9 dcredit=1 ucredit=1 \
    382                                          lcredit=1 ocredit=1 minclass=0 \
    383                                          maxrepeat=0 maxsequence=0 \
    384                                          maxclassrepeat=0 \
    385                                          dictpath=/lib/cracklib/pw_dict
    386 # use sha512 hash for encryption, use shadow, and use the
    387 # authentication token (chosen password) set by pam_cracklib
    388 # above (or any previous modules)
    389 password  required    pam_unix.so        sha512 shadow use_authtok
    390 
    391 # End /etc/pam.d/system-password</literal>
    392 EOF</userinput></screen>
    393 
    394       <note>
    395         <para>
    396           In its default configuration, pam_cracklib will
    397           allow multiple case passwords as short as 6 characters, even with
    398           the <parameter>minlen</parameter> value set to 11. You should review
    399           the pam_cracklib(8) man page and determine if these default values
    400           are acceptable for the security of your system.
    401         </para>
    402       </note>
    403 
    404       <para>
    405         If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
    406         use:
    407       </para>
    408 
    409 <screen role="nodump"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
    410 <literal># Begin /etc/pam.d/system-password
    411 
    412 # use sha512 hash for encryption, use shadow, and try to use any previously
    413 # defined authentication token (chosen password) set by any prior module
    414 password  required    pam_unix.so       sha512 shadow try_first_pass
    415 
    416 # End /etc/pam.d/system-password</literal>
    417 EOF</userinput></screen>
    418 -->
    419361      <para>
    420362        Next, add a restrictive <filename>/etc/pam.d/other</filename>
Note: See TracChangeset for help on using the changeset viewer.