[nycbug-talk] Change password at next login?
techneck at goldenpath.org
Tue Apr 29 21:51:51 EDT 2008
Miles Nordin wrote:
> PAM isn't cool. It's also full of bugs, and its behavior can be
> reliably known only by observation which is exactly the type of
> quirkyness what you *DO NOT* want from a subsystem meant to be
> checking passwords! no, you don't have to write n * m bits of special
> code, but everyone has m broken applications, and n * m things to test
> looking for surprise security problems. and, as you found, debuggers
> don't work well any more, source code is hard to find, and the
> internal behavior of modules is not documented, only rather optimistic
> fantasies of how to configure the module are sometimes partially
> documented. PAM's an embarassment.
That's funny. I thought it seemed kind of wacky but I didn't want to dis
it because apparently everyone else is using it and I figured I was just
using it wrong.
If it's so totally wacked out though, why would they have made it the
default in such a critical system component as security?
I have a base of untrusted, mostly irresponsible users who are more than
glad to set themselves a blank password if they can.
All I want to do is be able to reset someone's password while requiring
them to change it at next login (over SSH) and enforce some minimal
complexity requirement. I don't need to make it work with ldap or imap
or anything else. The only thing they connect to this machine for is to
run a legacy custom application.
More information about the talk