[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] RaQ needs to be more picky about passwords

Subject: RE: [cobalt-security] RaQ needs to be more picky about passwords
From: "Matthew Nuzum" <cobalt@xxxxxxxxxxxxx>
Date: Sun, 14 Apr 2002 21:12:03 -0400
Organization: Bearfruit.org
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I think (but I'm not positive) that what you're referring to is PAM.  I
checked and my Raq4 uses pam-0.72.

You can really get creative and fancy with PAM so that it uses very
strict passwords.  You can also alter it to authenticate against things
other than /etc/passwd.

However, I don't know if doing this will jive with the gui.  If PAM
doesn't like the password you chose, it'll give an error message.  I
don't know if this message will be passed back through to the user and
if it does, will it be of use?

If not, I saw somewhere someone did a neat trick with the shell
specified for a user in /etc/passwd.  It allowed no telnet access, but
when the user tried to telnet in they had the ability to change their
password and that was it.  Once they changed their password, the normal
"bad shell" effect kicks in.

If you really wanted to use stronger passwords and the GUI won't allow
it, you could try something like that.  Just give the user's a link such
as <a href="telnet:192.168.1.1">Change password</a> and hope that they
have a default telnet client.  I'm pretty sure every OS after Windows
3.1 had this.

I've strayed from the point a little, so to sum it up, check into PAM.
It really is a great tool.
Matt

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of Jeff Lasman
Sent: Sunday, April 14, 2002 4:09 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] RaQ needs to be more picky about
passwords

BobbyT wrote:

> Comments?  Suggestions? Scripts?
> I await your replies.

There's already a program on your RaQ to do that; I don't remember
exactly what it is, but it's called by the passwd program (see "man
passwd").  Sun, or you, could implement it.

To see what I man run "passwd" from your nonprivileged user prompt, and
try just typing in your name or a word from the dictionary.

> P.S. Why doesn't the raq allow more than 8 characters in passwords?
It
> ignores anything past 8 that you enter.  My root password ended up
being
> half the size.

It depends on the RaQ.  RaQ4, as I recall, uses a library that allows
much larger passwords.  However it's easy to generate a secure password
in eight characters, and it's easy to generate an insecure password
using many more characters.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- Re: [cobalt-security] RaQ needs to be more picky about passwords
  - From: Jeff Lasman

References:
- Re: [cobalt-security] RaQ needs to be more picky about passwords
  - From: Jeff Lasman

Prev by Date: Re: [cobalt-security] RaQ needs to be more picky about passwords
Next by Date: Re: [cobalt-security] here is my Auto-Security-Patch-Updater
Previous by thread: Re: [cobalt-security] RaQ needs to be more picky about passwords
Next by thread: Re: [cobalt-security] RaQ needs to be more picky about passwords

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index