'Re: [Netatalk-admins] password change'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netatalk
Subject:    Re: [Netatalk-admins] password change
From:       Stefan Schewe <sschewe () gmx ! de>
Date:       2004-10-28 9:00:15
Message-ID: 731797795.20041028110015 () gmx ! de
[Download RAW message or body]

Hi!

> Unfortunately it is possible to set passwords shorter than 6
> characters and easy passwords too. After many experiments a possible
> reason occures to me. The initial afp-process runs as "root" and thus
> the password change runs under root. So cracklib allows changing _any_
> given password.

Yes, that was exactly my problem too. I found the proactive password
strength checking module by John the Ripper. Compilation and
installation was very easy and you are able to set the minimum length
for different character classes. My pam configuration for netatalk
looks like this:

auth       required     pam_unix.so
account    required     pam_unix.so
password   required     pam_passwdqc.so min=disabled,12,12,7,6
password   sufficient   pam_unix.so use_first_pass md5 shadow
session    required     pam_unix.so

Now it's possible to change passwords via finder but I don't know how
to solve the cracklib problem. Maybe someone else can help you.

> My second question is, how can I restrict password changing? Is it
> possible to allow only specific users to change their password? That
> would be very nice!

Hmm this would be interested for me too. On my system I have
restricted "su" and the "passwd" command for trusted users. The first
can be done by putting a line like

auth   required   pam_wheel.so group=benutzer

in /etc/pam.d/su . The second is rather easy to solve. Only change the
unix-permissions of the "passwd"-command so that only one group is
allowed to execute it.
I tried to add the pam_wheel.so module to pam configuration of
netatalk in different ways but I had no success.
It would like to know if there is a way to restrict password changing
for netatalk via pam.

Thanks for any hints!

Regards,
Stefan



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Netatalk-admins mailing list
Netatalk-admins@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netatalk-admins
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic