Re: Debian secure by default?

On Sat May 17 2008 09:34:21 Sven Joachim wrote:
On 2008-05-17 17:35 +0200, Digby Tarvin wrote:
One thing that I find rather hard to justify is that even on an Etch
system installed from scratch just a few weeks ago,
/etc/pam.d/common-password has password required pam_unix.so nullok
obscure min=4 max=8 md5 so I can be confidently entering my 200 character
uber password thinking that it is hacker proof, when all the time debian
is truncating it to eight characters... :-/

Good catch. If you're the sysadmin, you should change that. If not,
convince him to do it.

max= was never intended to limit password lengths and, certainly in Etch
and Lenny, does not do so. I haven't tested earlier distros.

Unless you require it for backward compatability (because you are
importing passwrds from an old (less secure) system) I don't see why you
would want to limit password length at all? (except, of course, to set a
lower limit)

Apparently it is for backward-compatibility, yes. The limit has been
dropped in pam 0.99.7.1-5, so Lenny will come with a better default.

As of 0.99.7.1-4, pam simply ignores max=. However max=8 will remain in
/etc/pam.d/common-password of upgraded systems (but not fresh installs)
because common-password is simply copied from /usr/share/pam on the
first install.

If you change max= with earlier versions of pam it may have unintended
consequences.

EXECUTIVE SUMMARY: max=8 is ignored, this is a non-issue, OP can use
200 character uber password with confidence.

--Mike Bird


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx