Your message dated Sat, 26 Jul 2008 00:32:32 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Re: login: nullok should be deprecated
has caused the Debian Bug report #162258,
regarding login: nullok should be deprecated
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
162258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=162258
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: login
Version: 1:4.0.3-2
Severity: wishlist
Tags: sid
Hello,
installing 'login' tries to mangle the PAM config files to
significantly lower the bars on what I normally have (every
time :-( ).
I think that nullok should be abolished, and min/max should be
7/15 at least, and md5 should be on by default ;-)
Please tell me what you think about this.
Thank you!
Best,
--Toni++
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux spruce 2.4.18-686-smp #1 SMP Sun Apr 14 12:07:19 EST 2002 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages login depends on:
ii libc6 2.2.5-14.3 GNU C Library: Shared libraries an
ii libpam-modules 0.72-35 Pluggable Authentication Modules f
ii libpam0g 0.72-35 Pluggable Authentication Modules l
-- no debconf information
--- End Message ---
--- Begin Message ---
I don't think there's any cause for deprecating the current use of nullok in
the default PAM config. NULL passwords are allowed only in two cases:
- a user is allowed to *set* a password (to a non-null value) when no
password is set, rather than being forbidden to change it
- an account with a null password is allowed to log in only on console
(i.e., a tty that's been explicitly configured as "secure").
I think both of these are valid and important use cases that we don't want
to disallow. If you don't like the defaults, you can of course always
change them. But these options only take effect anyway if you *have* an
account with a null password, which is not the case for accounts created
with the normal management tools.
The other point in this bug, about min/max password lengths, has been
addressed in the lenny release cycle. There is no longer a max password
length setting, and the minimum password length has been changed to match
the upstream default.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]
--- End Message ---
