File: PLATFORMS

package info (click to toggle)
passwdqc 2.0.3-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 512 kB
  • sloc: ansic: 9,510; makefile: 262; php: 35; sh: 10
file content (55 lines) | stat: -rw-r--r-- 2,197 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
Please see the README for instructions common to all platforms and
descriptions of the options mentioned here.


	Linux.

Most modern Linux distributions use Linux-PAM with a password changing
module which understands "use_authtok".  Thus, you may choose which
module prompts for the old password, things should work either way.


	FreeBSD 5+, DragonFly BSD 2.2+.

FreeBSD 5 and newer, as well as DragonFly BSD 2.2 and newer, include
pam_passwdqc in the base system.  You should be able to use either the
included or the distributed separately version of pam_passwdqc with
these systems.  There's a commented out usage example in the default
/etc/pam.d/passwd.

FreeBSD 4 and older used a cut down version of Linux-PAM (not OpenPAM)
and didn't use PAM for password changing.


	OpenBSD.

OpenBSD does not use PAM, however it is able to use passwdqc's pwqcheck
program.  Insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\"
(without the quotes, but with the trailing backslash) into the "default"
section in /etc/login.conf.


	Solaris, HP-UX 11.

On Solaris 2.6, 7, and 8 (without patch 108993-18/108994-18 or later)
and on HP-UX 11, pam_passwdqc has to ask for the old password during
the update phase.  Use "ask_oldauthtok=update check_oldauthtok" with
pam_passwdqc and "use_first_pass" with pam_unix.

On Solaris 8 (with patch 108993-18/108994-18 or later), 9, and 10,
use pam_passwdqc instead of both pam_authtok_get and pam_authtok_check,
and set "retry=1" with pam_passwdqc as the passwd command has its own
handling for that.

You will likely also need to set "max=8" in order to actually enforce
not-so-weak passwords with the obsolete traditional DES-based hashes
that most Solaris systems use and the flawed approach HP-UX uses to
process characters past 8.  Of course this way you only get about one
third of the functionality of pam_passwdqc.  As a better alternative,
on modern Solaris systems you may edit the "CRYPT_DEFAULT=__unix__" line
in /etc/security/policy.conf to read "CRYPT_DEFAULT=2a" to enable the
OpenBSD-style bcrypt (Blowfish-based) password hashing.

There's a wiki page with detailed instructions specific to Solaris:

https://openwall.info/wiki/passwdqc/solaris