Displaying 20 results from an estimated 23 matches for "pam_pwquality".
2015 May 08
4
ldap host attribute is ignored
...ccess=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass
account sufficient pam_localuser.so
password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
password requisite pam_cracklib.so
password optional...
2015 May 11
2
ldap host attribute is ignored
...pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 2000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass
> local_users_only retry=3 authtok_type=
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyini...
2015 May 11
3
ldap host attribute is ignored
On 05/09/2015 01:24 PM, Jonathan Billings wrote:
> Is it normal to have pam_unix and pam_sss twice for each each section?
No. See my previous message. I think it's the result of copying
portions of SuSE configurations.
2015 May 11
0
ldap host attribute is ignored
...irst_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 2000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required...
2015 May 11
0
ldap host attribute is ignored
...pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 2000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass
> local_users_only retry=3 authtok_type=
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyini...
2014 Oct 29
1
samba ssh change password Error was: Wrong password
...account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_pwquality.so pam_cracklib.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
ses...
2015 Feb 02
5
Another Fedora decision
On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml at etr-usa.com> wrote:
>>
> Let?s flip it around: what?s your justification *for* weak passwords?
>
You don't need to write them down. Or trust some 3rd party password
keeper to keep them. Whereas when 'not weak' is determined by
someone else in the middle of trying to complete something, you are
very likely to
2015 Jul 26
4
Fedora change that will probably affect RHEL
On Sat, 25 Jul 2015 11:16:18 -0600
Chris Murphy <lists at colorremedies.com> wrote:
> On Sat, Jul 25, 2015 at 9:40 AM, Scott Robbins <scottro at nyc.rr.com> wrote:
> > This might show up twice, I think I sent it from a bad address previously.
> > If so, please accept my apologies.
> >
> >
> > In Fedora 22, one developer (and only one) decided that if
2015 Feb 03
0
Another Fedora decision
...at etr-usa.com> wrote:
>>>
>> Let?s flip it around: what?s your justification *for* weak passwords?
>>
> You don't need to write them down.
The new rules are:
1. At least 8 characters.
2. Nothing that violates the pwquality rules:
http://linux.die.net/man/8/pam_pwquality
Are you telling me you cannot memorize a series of 8 characters that do not violate those rules?
I?m the first to fight boneheaded ?password security? schemes like a required change every N weeks, but this is not that. Spend a bit of time, cook up a really good password, and then use it for the...
2015 May 09
0
ldap host attribute is ignored
...ss.so
> account required pam_permit.so
> account requisite pam_unix.so try_first_pass
> account sufficient pam_localuser.so
> account required pam_sss.so use_first_pass
> account sufficient pam_localuser.so
>
> password requisite pam_pwquality.so try_first_pass
> local_users_only retry=3 authtok_type=
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
> password requisite pam_crackl...
2015 Jul 28
0
Fedora change that will probably affect RHEL
...ssRightFuckingNow!
> "Sorry, you cannot use punctuation."
> 1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightFuckingNow
> "Sorry, that password is already in use.?
The new rules are nowhere near that stringent:
http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html
> Who thinks the password policy in my machines are my concern.
Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords.
Your freedom to use any pas...
2020 Jul 28
0
kerberos ticket on login problem
...required????? pam_unix.so broken_shadow
account???? sufficient??? pam_localuser.so
account???? sufficient??? pam_succeed_if.so uid < 1000 quiet
account???? [default=bad success=ok user_unknown=ignore] pam_winbind.so
cached_login
account???? required????? pam_permit.so
password??? requisite???? pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password??? sufficient??? pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password??? sufficient??? pam_winbind.so use_authtok
password??? required????? pam_deny.so
session???? optional????? pam_keyinit.so revoke
session???? req...
2015 Jul 28
0
Fedora change that will probably affect RHEL
...sy to break, which is not difficult.
> And yet the weak password policy is too strong for many
> legitimate use cases where the use case/environment aren't high risk
> for such passwords.
Really? Which of these new rules is onerous?
http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html
2015 Jul 28
5
Fedora change that will probably affect RHEL
On Tue, Jul 28, 2015 at 11:27 AM, Warren Young <wyml at etr-usa.com> wrote:
> Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords.
>
> Your freedom to use any password you like stops at the point where exercising that freedom creates a risk
2020 Jul 28
2
kerberos ticket on login problem
I'm experimenting with smb + winbind.
My host is joined to AD and I can login to my host fine using my AD
credentials via SSH.?? The only issue is that I don't get a Kerberos
ticket generated.
In /etc/security/pam_winbind.conf I have:
krb5_auth = yes
krb5_ccache_type = KEYRING
In /etc/krb5.conf, I also have:
default_ccache_name = KEYRING:persistent:%{uid}
Using wbinfo -K jas, then
2015 Feb 03
4
Another Fedora decision
Warren Young wrote:
> The new rules are:
>
> 1. At least 8 characters.
>
> 2. Nothing that violates the pwquality rules:
>
> http://linux.die.net/man/8/pam_pwquality
The 7 rules listed in this URL seem utterly bizarre to me.
The first is "Don't use a palindrome"
which makes me wonder if the author knows the meaning of this word.
I suspect he/she thinks it means "a known word backwards".
Of the remaing 6 rules one is optional ("re...
2019 Apr 11
0
LMTP, PAM session and home directory autocreation
...d pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required...
2019 Apr 09
0
LMTP, PAM session and home directory autocreating
...d pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required...
2015 Jul 29
1
Fedora change that will probably affect RHEL
...yway.
>> And yet the weak password policy is too strong for many
>> legitimate use cases where the use case/environment aren't high risk
>> for such passwords.
>
> Really? Which of these new rules is onerous?
>
> http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html
All of them. Those rules are absurd to require by default on a
computer in a low risk environment. I would never accept such a
product that required such login rules.
--
Chris Murphy
2015 May 07
2
ldap host attribute is ignored
Thanks a lot for looking over the config.
I am at the topic "user data is available"
id <username>
and
getent passwd
and
ldapsearch -x -b "ou=XXX,o=YYY" uid=<username>
give the correct results
ldapsearch gives also the correct host attribute i have set in the ldap
server.
Regarding the manpage of sssd.conf the lines
access_provider = ldap
ldap_access_order =