[pam] Désormais, passwd change les mots de passe ldap avec cracklib
This commit is contained in:
Pierre-Elliott Bécue
parent
a6875590fd
commit
ec3370be18
2 changed files with 15 additions and 20 deletions
|
|
@ -6,7 +6,7 @@
|
||||||
<Group name="ssh">
|
<Group name="ssh">
|
||||||
<Service name="ssh"/>
|
<Service name="ssh"/>
|
||||||
</Group>
|
</Group>
|
||||||
<Group name="db-server">
|
<Group name="ldap">
|
||||||
<Package name="libpam-cracklib"/>
|
<Package name="libpam-cracklib"/>
|
||||||
</Group>
|
</Group>
|
||||||
</Bundle>
|
</Bundle>
|
||||||
|
|
|
||||||
|
|
@ -41,23 +41,18 @@ pam-auth-update(8) for details.
|
||||||
@# uncomment the next two in order to use this.
|
@# uncomment the next two in order to use this.
|
||||||
@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
|
@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
|
||||||
|
|
||||||
if not has('wheezy'):
|
@# here are the per-package modules (the "Primary" block)
|
||||||
if has('ldap'):
|
if has('ldap'):
|
||||||
print "password sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
|
@password requisite pam_cracklib.so retry=3 minlen=9 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=1 reject_username gecoscheck enforce_for_root difok=0
|
||||||
print "password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
|
@password [success=2 default=ignore] pam_unix.so nullok obscure sha512 min=4 max=8 md5 try_first_pass
|
||||||
|
print "password [success=1 default=ignore] %s minimum_uid=1000 ignore_unkown_user md5 try_first_pass" % pam_module
|
||||||
else:
|
else:
|
||||||
@# here are the per-package modules (the "Primary" block)
|
@password [success=1 default=ignore] pam_unix.so nullok obscure sha512 min=4 max=8 md5 try_first_pass
|
||||||
if has('ldap'):
|
@# here's the fallback if no module succeeds
|
||||||
@password [success=2 default=ignore] pam_unix.so nullok obscure sha512 min=4 max=8 md5 try_first_pass
|
@password requisite pam_deny.so
|
||||||
print "password [success=1 default=ignore] %s minimum_uid=1000 ignore_unkown_user md5 try_first_pass" % pam_module
|
@# prime the stack with a positive return value if there isn't one already;
|
||||||
else:
|
@# this avoids us returning an error just because nothing sets a success code
|
||||||
@password [success=1 default=ignore] pam_unix.so nullok obscure sha512 min=4 max=8 md5 try_first_pass
|
@# since the modules above will each just jump around
|
||||||
@# here's the fallback if no module succeeds
|
@password required pam_permit.so
|
||||||
@password requisite pam_deny.so
|
@# and here are more per-package modules (the "Additional" block)
|
||||||
@# prime the stack with a positive return value if there isn't one already;
|
@# end of pam-auth-update config
|
||||||
@# this avoids us returning an error just because nothing sets a success code
|
|
||||||
@# since the modules above will each just jump around
|
|
||||||
@password required pam_permit.so
|
|
||||||
@# and here are more per-package modules (the "Additional" block)
|
|
||||||
@# end of pam-auth-update config
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue