On 8/16/19 3:56 PM, Dave Macias wrote:
pam_pwquality ( i believe these are only for users in passwd file )
Not only for users in /etc/passwd but part of the PAM stack. So only password changes via local passwd tool or similar are checked.
ppchecker http://www.meddeb.net/pqchecker/?Idx=0
The problem with all the implementations I know of is that parameters are stored in a single config file. Thus you cannot apply different policies to different users. I'd love to see this to be part of slapo-ppolicy machinery with password change policy parameters also derived from pwdPolicy entry just like the minimum password length.
Furthermore the question is whether the C code of those shared libs was carefully reviewed and does not expose a security risk.
Ciao, Michael.