On Thursday, March 20, 2014 07:28:34 AM Trey Henefield wrote: > Nobody has seemed to respond to this. But this is an issue. > > In /etc/login.defs, I have PASS_MIN_LEN set to 14, yet as a user, I can set > the following password 56tyghbn%^TY which only has 12 characters via the > passwd command.
In our common criteria setup, we have annotated the login.defs file with the following: # The evaluated configuration constraints are: # PASS_MAX_DAYS MAY be changed, must be <= 60 # PASS_MAX_DAYS MAY be changed, 0 < PASS_MIN_DAYS < PASS_MAX_DAYS # PASS_MIN_LEN has no effect in the evaluated configuration # PASS_WARN_AGE MAY be changed Note...has no effect... The intended way can be seen in system-auth: password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so Of these, cracklib is responsible for enforcing password policy. Checking its man page, it has something called minlen. Looking at the RHEL5 USGCB settings, this is in fact how it's set: sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3/" /etc/pam.d/system-auth So, to have 14, alter the above settings to correct it. -Steve _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
