On Sat, May 17, 2008 at 10:06:05AM -0700, Mike Bird wrote: > On Sat May 17 2008 09:34:21 Sven Joachim wrote: > > On 2008-05-17 17:35 +0200, Digby Tarvin wrote: > > > One thing that I find rather hard to justify is that even on an Etch > > > system installed from scratch just a few weeks ago, > > > /etc/pam.d/common-password has password required pam_unix.so nullok > > > obscure min=4 max=8 md5 so I can be confidently entering my 200 character > > > uber password thinking that it is hacker proof, when all the time debian > > > is truncating it to eight characters... :-/ > > > > Good catch. If you're the sysadmin, you should change that. If not, > > convince him to do it. > > max= was never intended to limit password lengths and, certainly in Etch > and Lenny, does not do so. I haven't tested earlier distros. > > > > Unless you require it for backward compatability (because you are > > > importing passwrds from an old (less secure) system) I don't see why you > > > would want to limit password length at all? (except, of course, to set a > > > lower limit) > > > > Apparently it is for backward-compatibility, yes. The limit has been > > dropped in pam 0.99.7.1-5, so Lenny will come with a better default. > > As of 0.99.7.1-4, pam simply ignores max=. However max=8 will remain in > /etc/pam.d/common-password of upgraded systems (but not fresh installs) > because common-password is simply copied from /usr/share/pam on the > first install. > > If you change max= with earlier versions of pam it may have unintended > consequences. > > EXECUTIVE SUMMARY: max=8 is ignored, this is a non-issue, OP can use > 200 character uber password with confidence. > > --Mike Bird
Good to hear, although my Etch system (freshly upgraded) reports: | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-================-================-================================================ ii libpam-modules 0.79-5 Pluggable Authentication Modules for PAM ii libpam-runtime 0.79-5 Runtime support for the PAM library ii libpam0g 0.79-5 Pluggable Authentication Modules library and the docs at http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-auth-pam say "Now edit /etc/pam.d/passwd and change the first line. You should add the option "md5" to use MD5 passwords, change the minimum length of password from 4 to 6 (or more) and set a maximum length, if you desire." So the situation doesn't seem as clear as it might be. But a quick test does seem to indicate that I am getting more password length than the max keyword setting would indicate - even with 0.79-5. Regards, DigbyT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
