Thursday, December 30, 2010

Strengthening PAM

If OpenBSD is one os the securest Operating  Systems out there .. then I think by default Debian should implement stronger passwords.

But I guess we will just have to do it ourselves.

Basically run (This is for Debian Lenny)

apt-get install libpam-cracklib

Edit  /etc/pam.d/common-password

Comment out line 24.

I.e. password   required   pam_unix.so nullok obscure md5

Further down you will see

password requisite pam_cracklib.so retry=3 minlen=8 difok=3
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512


Remove the comments. And thats that.


Whats interesting is that Debian Squeeze, does this automagically.

Personally I would change minlen to 10  and difok to 6.


HTH

Brent

No comments:

Post a Comment