Solaris password requirements not enforced
Darren Tucker
dtucker at zip.com.au
Thu Jul 29 21:28:22 EST 2004
Srinivas Gopaladasu wrote:
> The Solaris password requirements like
> a. no empty password
> b. minimum 6 chars
> etc for a regular user are not enforced when a password expired user is
> changing password at the SSH login prompt.
It would appear that those restrictions are implemented in
/usr/bin/passwd and not the PAM modules. Since sshd just calls
pam_chauthtok(), if PAM allows changing to a short or empty password,
then that's what happens. This is probably a bug or design misfeature
in the Solaris PAM module (others, eg LinuxPAM, enforce such restrictions).
You can disable PAM, or force sshd to use passwd instead of chauthtok
with the attached patch.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: chauthtok.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040729/7049cfbd/attachment-0002.ksh
More information about the openssh-unix-dev
mailing list