-
Notifications
You must be signed in to change notification settings - Fork 17
/
PLATFORMS
55 lines (38 loc) · 2.15 KB
/
PLATFORMS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Please see the README for instructions common to all platforms and
descriptions of the options mentioned here.
Linux.
Most modern Linux distributions use Linux-PAM with a password changing
module which understands "use_authtok". Thus, you may choose which
module prompts for the old password, things should work either way.
FreeBSD 5+, DragonFly BSD 2.2+.
FreeBSD 5 and newer, as well as DragonFly BSD 2.2 and newer, include
pam_passwdqc in the base system. You should be able to use either the
included or the distributed separately version of pam_passwdqc with
these systems. There's a commented out usage example in the default
/etc/pam.d/passwd.
FreeBSD 4 and older used a cut down version of Linux-PAM (not OpenPAM)
and didn't use PAM for password changing.
OpenBSD.
OpenBSD does not use PAM, however it is able to use passwdqc's pwqcheck
program. Insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\"
(without the quotes, but with the trailing backslash) into the "default"
section in /etc/login.conf.
Solaris, HP-UX 11.
On Solaris 2.6, 7, and 8 (without patch 108993-18/108994-18 or later)
and on HP-UX 11, pam_passwdqc has to ask for the old password during
the update phase. Use "ask_oldauthtok=update check_oldauthtok" with
pam_passwdqc and "use_first_pass" with pam_unix.
On Solaris 8 (with patch 108993-18/108994-18 or later), 9, and 10,
use pam_passwdqc instead of both pam_authtok_get and pam_authtok_check,
and set "retry=1" with pam_passwdqc as the passwd command has its own
handling for that.
You will likely also need to set "max=8" in order to actually enforce
not-so-weak passwords with the obsolete traditional DES-based hashes
that most Solaris systems use and the flawed approach HP-UX uses to
process characters past 8. Of course this way you only get about one
third of the functionality of pam_passwdqc. As a better alternative,
on modern Solaris systems you may edit the "CRYPT_DEFAULT=__unix__" line
in /etc/security/policy.conf to read "CRYPT_DEFAULT=2a" to enable the
OpenBSD-style bcrypt (Blowfish-based) password hashing.
There's a wiki page with detailed instructions specific to Solaris:
https://openwall.info/wiki/passwdqc/solaris