f



Password Security and /etc/default/passwd

A couple of questions regarding pam_authtok_check and friends.

1) What does the NAMECHECK variable in /etc/default/passwd actually do?
   The documentation in the passwd(1) simply repeats the same text found
   in /etc/default/passwd, which simply says "do login name checking".
   What kind of checking is that then?

2) Where is the password history to deal with variables such as
   MAXREPEATS kept?  Are just the hashes stored? If so, do I break this
   if I change crypt algorithms?

3) If just the hashes are stored, how does MINDIFF work?

As always, I'm looking for actual answers so if you don't know, please
don't guess.  Pointers to manuals or source welcome.

Cheers,

Ceri
-- 
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)
0
Ceri
10/26/2005 1:58:25 PM
comp.unix.solaris 26025 articles. 2 followers. Post Follow

1 Replies
1358 Views

Similar Articles

[PageSpeed] 35

On 2005-10-26, Ceri Davies <ceri_usenet@submonkey.net> wrote:
> A couple of questions regarding pam_authtok_check and friends.

I gave in and read the code.  Assuming that none of this changed in
OpenSolaris, here's what Solaris 10 does for the record:

> 1) What does the NAMECHECK variable in /etc/default/passwd actually do?
>    The documentation in the passwd(1) simply repeats the same text found
>    in /etc/default/passwd, which simply says "do login name checking".
>    What kind of checking is that then?

This is a check that the password is not a circular shift of the login
name.

> 2) Where is the password history to deal with variables such as
>    MAXREPEATS kept?  Are just the hashes stored? If so, do I break this
>    if I change crypt algorithms?

I actually meant HISTORY here, and the answer is that the old password
crypts are stored in /etc/security/passhistory, and yes, it breaks if
you change crypt algorithms.

> 3) If just the hashes are stored, how does MINDIFF work?

passwd(1) compares the new password with the old password that the user
entered.

Ceri
-- 
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former.			  -- Einstein (attrib.)
0
Ceri
10/27/2005 11:36:33 AM
Reply: