On Sun, Sep 02, 2007 at 07:38:23PM -0400, Roberto C. Sánchez wrote: > On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
> > The upstream default of 6 has been around for at least 5 years, possibly as > > long as a decade; and the code in question is inactive when pam_unix is > > linked to cracklib, which I think most distributors other than Debian are > > doing (we confine the use of libcracklib to the separate pam_cracklib > > module, to keep cracklib out of base); so there probably isn't any modern > > justification for this default at all. > Just curious, what is the rationale for wanting to keep cracklib out of > base? Size and complexity. Adding libpam-cracklib to base would be a 2MB increase in the size of a minimal Debian system on i386, and add 5 packages to the list of what has to be installed before the user can do something as simple as set the initial root password. Also, in terms of modularity, I don't think it makes sense for pam_unix to link to cracklib anyway when we have a separate pam_cracklib module for that (whether it's in a separate package or not). I also think that enabling cracklib password checking is probably not a reasonable default for single-user systems, because however much we might like users to use secure passwords, the hassle of disabling cracklib if the user disagrees with us on this point is enough to make this a very unpleasant user experience. Maybe if and when we have better up-front documentation of what the password requirements are we could consider this as a default, but I don't want users to go through the experience of hitting five different password strength rules, one-by-one, in the ever-more-frustrating process of trying to set a password. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
