|
Message-id: <20070624195204.GT595@linsec.ca>
Date: Sun, 24 Jun 2007 13:52:04 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: owl-users@...ts.openwall.com
Subject: Re: pam_passwdqc and history
* Solar Designer <solar@...nwall.com> [2007-06-24 07:59:12 +0400]:
>> Of course, that doesn't stop legislaters from specifying they want or
>> need something like this, so if something like this were to make it's
>> way into pam_passwdqc (as, from my understanding, pam_cracklib is what
>> would be doing this, not pam_unix), I think it might make it more
>> palatable to some people (with the appropriate warnings/compile-time
>> disablers, etc.).
>
>I agree, except for one thing:
>
>Of the bundled Linux-PAM modules, pam_unix both consults and updates the
>password history file, whereas pam_cracklib merely consults the file (in
>fact, there's some duplicate code between pam_unix and pam_cracklib).
>So I think that the password history would work with Linux-PAM's
>pam_unix alone and no pam_cracklib. You might want to give this a try.
>If so, replacing pam_cracklib with pam_passwdqc will not prevent the
>password history from working. (However, replacing pam_unix with
>pam_tcb will.) This might make it easier for you to get pam_passwdqc
>into Mandriva.
Ahhhh... ok, I'll play around with this and will see what happens. If
this does work, then pam_passwdqc can definitely replace cracklib
(although I suspect I could make it happen regardless).
>Neither pam_unix nor pam_cracklib are a part of Owl, so this discussion
>is getting somewhat off-topic for owl-users. The aspect that is on
>topic is that wider adoption of components from Owl (such as our PAM
>modules) by other distributions makes our development efforts more
>worthwhile and indirectly helps Owl development.
Fair enough, and thanks for indulging the question on the owl-users
list. =) I very much apprecate the insights. And you're right... I'm
all for a wider adoption of this stuff because I think it's fantastic.
=)
Thanks again.
--
Vincent Danen @ http://linsec.ca/
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.