| Openwall Project | /home Owl JtR Pro crypt pam_passwdqc tcb phpass scanlogd popa3d msulogin / Linux BIND / advisories presentations / services donations / wordlists passwords / news community lists wiki CVSweb mirrors signatures | |
| bringing security into open environments | ||
|
Most modern Linux distributions use Linux-PAM with a password changing module which understands "use_authtok". Thus, you may choose which module prompts for the old password, things should work either way.
FreeBSD 5 includes pam_passwdqc in the base system. You should be able to use either the included or the distributed separately version of pam_passwdqc with FreeBSD 5. There's a commented out usage example in the default /etc/pam.d/passwd. FreeBSD 4 and older used a cut down version of Linux-PAM (not OpenPAM) and didn't use PAM for password changing.
On Solaris 2.6, 7, and 8 (without patch 108993-18/108994-18 or later) and on HP-UX 11, pam_passwdqc has to ask for the old password during the update phase. Use "ask_oldauthtok=update check_oldauthtok" with pam_passwdqc and "use_first_pass" with pam_unix.
On Solaris 8 (with patch 108993-18/108994-18 or later), 9, and 10, use pam_passwdqc instead of both pam_authtok_get and pam_authtok_check, and set "retry=1" with pam_passwdqc as the passwd command has its own handling for that.
You will likely also need to set "max=8" in order to actually enforce not-so-weak passwords with the obsolete traditional DES-based hashes that most Solaris systems use and the flawed approach HP-UX uses to process characters past 8. Of course this way you only get about one third of the functionality of pam_passwdqc.
$Owl: Owl/packages/passwdqc/passwdqc/PLATFORMS,v 1.11 2009/10/09 21:49:28 solar Exp $