> by you, not me. It still has min/max to 4/8 and nullok on, in > common-password, which I definitely don't consider to be safe.
It's up to you to convince the maintainer of libpam-runtime. So far, Sam appeared to me as quite wise, so these choices haven't probably be made without thinking. > > > Indeed, given the default contents of these files, which appear very > > safe to me, I think this bug should be closed as pointless. > > So eg. having null passwords is very safe to you? I have a really hard > time following you there... common-password: # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. password required pam_unix.so nullok obscure min=4 max=8 md5 common-auth: auth required pam_unix.so nullok_secure My poor PAM knowledge says me that this means that null passwords are accepted only when login from a secure tty. Otherwise, such logins are rejected. This, just like min=4,max=8 seems a good compromise for provided defaults, especially when these can be of course overridden easily by local changes. Sam, it's in your hands...maybe 4 chars passwords are really too short these days. Another option is having this discussed with the Technical Comittee. (btw, Sam, I'll soon revive the good old #166718 bug about adding users to "useful" groups...probably by launching a discussion again in debian-ctte. I guess you will be somewhat concerned again as PAM maintainer) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
