search for: pam_pwquality

...ccess=ok user_unknown=ignore] pam_sss.so account required pam_permit.so account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account required pam_sss.so use_first_pass account sufficient pam_localuser.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so password requisite pam_cracklib.so password optional...

...pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 2000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass > local_users_only retry=3 authtok_type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyini...

On 05/09/2015 01:24 PM, Jonathan Billings wrote: > Is it normal to have pam_unix and pam_sss twice for each each section? No. See my previous message. I think it's the result of copying portions of SuSE configurations.

...irst_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 2000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required...

...pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 2000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass > local_users_only retry=3 authtok_type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyini...

...account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_pwquality.so pam_cracklib.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke ses...

On Mon, Feb 2, 2015 at 4:17 PM, Warren Young <wyml at etr-usa.com> wrote: >> > Let?s flip it around: what?s your justification *for* weak passwords? > You don't need to write them down. Or trust some 3rd party password keeper to keep them. Whereas when 'not weak' is determined by someone else in the middle of trying to complete something, you are very likely to

On Sat, 25 Jul 2015 11:16:18 -0600 Chris Murphy <lists at colorremedies.com> wrote: > On Sat, Jul 25, 2015 at 9:40 AM, Scott Robbins <scottro at nyc.rr.com> wrote: > > This might show up twice, I think I sent it from a bad address previously. > > If so, please accept my apologies. > > > > > > In Fedora 22, one developer (and only one) decided that if

...at etr-usa.com> wrote: >>> >> Let?s flip it around: what?s your justification *for* weak passwords? >> > You don't need to write them down. The new rules are: 1. At least 8 characters. 2. Nothing that violates the pwquality rules: http://linux.die.net/man/8/pam_pwquality Are you telling me you cannot memorize a series of 8 characters that do not violate those rules? I?m the first to fight boneheaded ?password security? schemes like a required change every N weeks, but this is not that. Spend a bit of time, cook up a really good password, and then use it for the...

...ss.so > account required pam_permit.so > account requisite pam_unix.so try_first_pass > account sufficient pam_localuser.so > account required pam_sss.so use_first_pass > account sufficient pam_localuser.so > > password requisite pam_pwquality.so try_first_pass > local_users_only retry=3 authtok_type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > password requisite pam_crackl...

...ssRightFuckingNow! > "Sorry, you cannot use punctuation." > 1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightFuckingNow > "Sorry, that password is already in use.? The new rules are nowhere near that stringent: http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html > Who thinks the password policy in my machines are my concern. Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. Your freedom to use any pas...

...required????? pam_unix.so broken_shadow account???? sufficient??? pam_localuser.so account???? sufficient??? pam_succeed_if.so uid < 1000 quiet account???? [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account???? required????? pam_permit.so password??? requisite???? pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password??? sufficient??? pam_unix.so sha512 shadow nullok try_first_pass use_authtok password??? sufficient??? pam_winbind.so use_authtok password??? required????? pam_deny.so session???? optional????? pam_keyinit.so revoke session???? req...

...sy to break, which is not difficult. > And yet the weak password policy is too strong for many > legitimate use cases where the use case/environment aren't high risk > for such passwords. Really? Which of these new rules is onerous? http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html

On Tue, Jul 28, 2015 at 11:27 AM, Warren Young <wyml at etr-usa.com> wrote: > Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. > > Your freedom to use any password you like stops at the point where exercising that freedom creates a risk

I'm experimenting with smb + winbind. My host is joined to AD and I can login to my host fine using my AD credentials via SSH.?? The only issue is that I don't get a Kerberos ticket generated. In /etc/security/pam_winbind.conf I have: krb5_auth = yes krb5_ccache_type = KEYRING In /etc/krb5.conf, I also have: default_ccache_name = KEYRING:persistent:%{uid} Using wbinfo -K jas, then

Warren Young wrote: > The new rules are: > > 1. At least 8 characters. > > 2. Nothing that violates the pwquality rules: > > http://linux.die.net/man/8/pam_pwquality The 7 rules listed in this URL seem utterly bizarre to me. The first is "Don't use a palindrome" which makes me wonder if the author knows the meaning of this word. I suspect he/she thinks it means "a known word backwards". Of the remaing 6 rules one is optional ("re...

...d pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required...

...d pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required...

...yway. >> And yet the weak password policy is too strong for many >> legitimate use cases where the use case/environment aren't high risk >> for such passwords. > > Really? Which of these new rules is onerous? > > http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html All of them. Those rules are absurd to require by default on a computer in a low risk environment. I would never accept such a product that required such login rules. -- Chris Murphy

Thanks a lot for looking over the config. I am at the topic "user data is available" id <username> and getent passwd and ldapsearch -x -b "ou=XXX,o=YYY" uid=<username> give the correct results ldapsearch gives also the correct host attribute i have set in the ldap server. Regarding the manpage of sssd.conf the lines access_provider = ldap ldap_access_order =