On Sat May 17 2008 09:34:21 Sven Joachim wrote: > On 2008-05-17 17:35 +0200, Digby Tarvin wrote: > > One thing that I find rather hard to justify is that even on an Etch > > system installed from scratch just a few weeks ago, > > /etc/pam.d/common-password has password required pam_unix.so nullok > > obscure min=4 max=8 md5 so I can be confidently entering my 200 character > > uber password thinking that it is hacker proof, when all the time debian > > is truncating it to eight characters... :-/ > > Good catch. If you're the sysadmin, you should change that. If not, > convince him to do it.
max= was never intended to limit password lengths and, certainly in Etch and Lenny, does not do so. I haven't tested earlier distros. > > Unless you require it for backward compatability (because you are > > importing passwrds from an old (less secure) system) I don't see why you > > would want to limit password length at all? (except, of course, to set a > > lower limit) > > Apparently it is for backward-compatibility, yes. The limit has been > dropped in pam 0.99.7.1-5, so Lenny will come with a better default. As of 0.99.7.1-4, pam simply ignores max=. However max=8 will remain in /etc/pam.d/common-password of upgraded systems (but not fresh installs) because common-password is simply copied from /usr/share/pam on the first install. If you change max= with earlier versions of pam it may have unintended consequences. EXECUTIVE SUMMARY: max=8 is ignored, this is a non-issue, OP can use 200 character uber password with confidence. --Mike Bird -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
