This should do it: /usr/share/pam-configs/passwdqcName: passwdqc password strength checking Default: yes Priority: 1024 Conflicts: cracklib [maybe?] Password-Type: Primary Password: requisite pam_passwdqc.so min=disabled,10,6,4,3 similar=deny enforce=users ask_oldauthtok check_oldauthtok I don't know if the options passed in this example are sensible defaults for the package to ship, I leave that to the maintainer to determine. But regardless of which options are used, I don't see anything here that would make it incompatible with the framework. Note also that users editing the module arguments in /etc/pam.d/common-password should Just Work⢠- this isn't documented, I was still thinking through what the policy should be for per-module debconf questions to let modules hook in more completely.
Manually editing /etc/pam.d/common-password is not the perfect solution. If pam_unix is the only password profile selected, then use_authtok is not specified for it (/usr/share/pam-configs/unix only specifies that option if it's not the initial module). So if I want to make passwdqc work without pam-auth-update, then I first have to add it to the beginning of common-password and then I have to modify the pam-auth-update reserved area to add use_authtok to pam_unix which is quite ugly, compared to how simple it would be to provide a pam-auth-update profile for passwdqc. About the contents of that pam-config file. I think that no configuration should be specified at all, given how passwdqc is security-related, it comes with sensible (if not overly secure) defaults. So I think that an option-less, debconf-question-less pam-config for passwdqc would just work fine and it would increase usability of this package for average users a lot. This file would be marked as a config file so advanced users could hand-edit this one instead of common-password and dpkg could handle that too. Seems to me as a clean and simple to implement solution. And pam-auth-update is just an awesome idea so I, for one, would really love to see this happen in the debian package. -- [ FEJES Jozsef ] http://joco.name -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
