Changes in postlfs/security/linux-pam.xml [b9567b04:c0464a8]
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/linux-pam.xml
rb9567b04 rc0464a8 343 343 <literal># Begin /etc/pam.d/system-password 344 344 345 # use sha512 hash for encryption, use shadow, and try to use any previously 346 # defined authentication token (chosen password) set by any prior module. 347 # Use the same number of rounds as shadow. 348 password required pam_unix.so sha512 shadow try_first_pass \ 349 rounds=500000 345 # use yescrypt hash for encryption, use shadow, and try to use any 346 # previously defined authentication token (chosen password) set by any 347 # prior module. 348 password required pam_unix.so yescrypt shadow try_first_pass 350 349 351 350 # End /etc/pam.d/system-password</literal> … … 360 359 </para> 361 360 362 <!-- With the removal of the pam_cracklib module, we're supposed to be using363 libpwquality. That already includes instructions in its configuration364 information page, so we'll use those instead.365 366 Linux-PAM must be installed prior to libpwquality so that PAM support367 is built in, and the PAM module is built.368 -->369 <!-- WARNING: If for any reason the instructions below are reinstated be370 careful with the number of rounds, which should match the one in shadow.371 <para>372 The remaining generic file depends on whether <xref373 linkend="cracklib"/> is installed. If it is installed, use:374 </para>375 376 <screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"377 <literal># Begin /etc/pam.d/system-password378 379 # check new passwords for strength (man pam_cracklib)380 password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \381 minlen=9 dcredit=1 ucredit=1 \382 lcredit=1 ocredit=1 minclass=0 \383 maxrepeat=0 maxsequence=0 \384 maxclassrepeat=0 \385 dictpath=/lib/cracklib/pw_dict386 # use sha512 hash for encryption, use shadow, and use the387 # authentication token (chosen password) set by pam_cracklib388 # above (or any previous modules)389 password required pam_unix.so sha512 shadow use_authtok390 391 # End /etc/pam.d/system-password</literal>392 EOF</userinput></screen>393 394 <note>395 <para>396 In its default configuration, pam_cracklib will397 allow multiple case passwords as short as 6 characters, even with398 the <parameter>minlen</parameter> value set to 11. You should review399 the pam_cracklib(8) man page and determine if these default values400 are acceptable for the security of your system.401 </para>402 </note>403 404 <para>405 If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,406 use:407 </para>408 409 <screen role="nodump"><userinput>cat > /etc/pam.d/system-password << "EOF"410 <literal># Begin /etc/pam.d/system-password411 412 # use sha512 hash for encryption, use shadow, and try to use any previously413 # defined authentication token (chosen password) set by any prior module414 password required pam_unix.so sha512 shadow try_first_pass415 416 # End /etc/pam.d/system-password</literal>417 EOF</userinput></screen>418 -->419 361 <para> 420 362 Next, add a restrictive <filename>/etc/pam.d/other</filename>
Note:
See TracChangeset
for help on using the changeset viewer.