diff options
| -rw-r--r-- | NEWS | 23 | ||||
| -rw-r--r-- | changelog | 7 | ||||
| -rw-r--r-- | local/common-password | 19 | ||||
| -rw-r--r-- | local/common-password.md5sums | 1 |
4 files changed, 43 insertions, 7 deletions
@@ -0,0 +1,23 @@ +pam (0.99.7.1-5) unstable; urgency=low + + * Default Unix minimum password length has changed + + Previous versions of pam_unix on Debian had a built-in minimum password + length of 1 character, and a minimum password length configured in + /etc/pam.d/common-password of 4 characters. This differed from the + upstream default of 6 characters. This has been changed, so the + default /etc/pam.d/common-password no longer overrides the compile-time + default and the compile-time default has been raised to 6 characters. + If you are using pam_unix but are not using the default + /etc/pam.d/common-password file, it is recommended that you drop any + min= options to pam_unix from your config unless you have stronger + local password requirements that the upstream default. + + The password length 'max' option has also been deprecated in this + version because it was never written to work as suggested in the + documentation. If you are using pam_unix but are not using the default + /etc/pam.d/common-password file, you should remove any old max= options + to pam_unix from your config as this option will be considered an error + in future versions of pam. + + -- Steve Langasek <vorlon@debian.org> Sat, 01 Sep 2007 21:27:11 -0700 @@ -9,8 +9,13 @@ pam (0.99.7.1-5) UNRELEASED; urgency=low * Further cleanups of 007_modules_pam_unix -- don't use a global variable for pass_min_len, don't gratuitously move the length checking into the "obscure" checks, and internationalize the error strings. + * Stop overriding the built-in default minimum password length in + /etc/pam.d/common-password, and also drop the "max" option which has now + been obsoleted. + * Fix up the comments in /etc/pam.d/common-password to make it clear that + the options are specific to pam_unix. Closes: #414559. - -- Steve Langasek <vorlon@debian.org> Sat, 01 Sep 2007 10:59:34 -0700 + -- Steve Langasek <vorlon@debian.org> Sat, 01 Sep 2007 11:42:08 -0700 pam (0.99.7.1-4) unstable; urgency=low diff --git a/local/common-password b/local/common-password index 9025f6b0..45959eb5 100644 --- a/local/common-password +++ b/local/common-password @@ -2,19 +2,26 @@ # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, -# and should contain a list of modules that define the services to be -#used to change user passwords. The default is pam_unix +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. +# Explanation of pam_unix options: +# # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # -# (Add `md5' after the module name to enable MD5 passwords) +# The "md5" option enables MD5 passwords. Without this option, the +# default is Unix crypt. # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in -# login.defs. Also the "min" and "max" options enforce the length of the -# new password. +# login.defs. +# +# You can also use the "min" option to enforce the length of the new +# password. +# +# See the pam_unix manpage for other options. -password required pam_unix.so nullok obscure min=4 max=8 md5 +password required pam_unix.so nullok obscure md5 # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. diff --git a/local/common-password.md5sums b/local/common-password.md5sums index b5bde1d4..569ca682 100644 --- a/local/common-password.md5sums +++ b/local/common-password.md5sums @@ -1 +1,2 @@ 601ecfbc99fd359877552cb5298087ad /etc/pam.d/common-password +e5ae8ba8d00083c922d9d82a0432ef78 /etc/pam.d/common-password |