diff options
Diffstat (limited to 'contrib/pam_modules/pam_passwdqc/PLATFORMS')
| -rw-r--r-- | contrib/pam_modules/pam_passwdqc/PLATFORMS | 51 |
1 files changed, 38 insertions, 13 deletions
diff --git a/contrib/pam_modules/pam_passwdqc/PLATFORMS b/contrib/pam_modules/pam_passwdqc/PLATFORMS index 35176e67e749..f468f233a866 100644 --- a/contrib/pam_modules/pam_passwdqc/PLATFORMS +++ b/contrib/pam_modules/pam_passwdqc/PLATFORMS @@ -9,22 +9,47 @@ module which understands "use_authtok". Thus, you may choose which module prompts for the old password, things should work either way. - FreeBSD. + FreeBSD 5+, DragonFly BSD 2.2+. -As of this writing (April 2002), FreeBSD-current is moving to OpenPAM -which pam_passwdqc already includes support for. The next step would -be for FreeBSD to start actually using PAM from password changing. -Once that becomes a reality, you should be able to use pam_passwdqc -with FreeBSD. +FreeBSD 5 and newer, as well as DragonFly BSD 2.2 and newer, include +pam_passwdqc in the base system. You should be able to use either the +included or the distributed separately version of pam_passwdqc with +these systems. There's a commented out usage example in the default +/etc/pam.d/passwd. +FreeBSD 4 and older used a cut down version of Linux-PAM (not OpenPAM) +and didn't use PAM for password changing. - Solaris. -pam_passwdqc has to ask for the old password during the update phase. -Use "ask_oldauthtok=update check_oldauthtok" with pam_passwdqc and -"use_first_pass" with pam_unix. + OpenBSD. + +OpenBSD does not use PAM, however it is able to use passwdqc's pwqcheck +program. Insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\" +(without the quotes, but with the trailing backslash) into the "default" +section in /etc/login.conf. + + + Solaris, HP-UX 11. + +On Solaris 2.6, 7, and 8 (without patch 108993-18/108994-18 or later) +and on HP-UX 11, pam_passwdqc has to ask for the old password during +the update phase. Use "ask_oldauthtok=update check_oldauthtok" with +pam_passwdqc and "use_first_pass" with pam_unix. + +On Solaris 8 (with patch 108993-18/108994-18 or later), 9, and 10, +use pam_passwdqc instead of both pam_authtok_get and pam_authtok_check, +and set "retry=1" with pam_passwdqc as the passwd command has its own +handling for that. You will likely also need to set "max=8" in order to actually enforce -not-so-weak passwords with the obsolete "traditional" crypt(3) hashes -that most Solaris systems use. Of course this way you only get about -one third of the functionality of pam_passwdqc. +not-so-weak passwords with the obsolete traditional DES-based hashes +that most Solaris systems use and the flawed approach HP-UX uses to +process characters past 8. Of course this way you only get about one +third of the functionality of pam_passwdqc. As a better alternative, +on modern Solaris systems you may edit the "CRYPT_DEFAULT=__unix__" line +in /etc/security/policy.conf to read "CRYPT_DEFAULT=2a" to enable the +OpenBSD-style bcrypt (Blowfish-based) password hashing. + +There's a wiki page with detailed instructions specific to Solaris: + +https://openwall.info/wiki/passwdqc/solaris |