Bakul Shah
Posts: 320
Joined: Sun Sep 25, 2011 1:25 am

Re: FYI: disabling strength checking/aging on the fedora image

Tue Mar 13, 2012 2:58 am

Having to type the passwd and update it every time (and it had to be different each time) was rather annoying so I disabled it by commenting out the following line in /etc/pam.d/system-auth file (by putting # in the first column):


password    requisite     pam_cracklib.so try_first_pass retry=3 type=


Strong passwd/aging etc is not newbie friendly. Note that Model A has no network connection and its card can be easily removed so there is *no* point in password checking! If someone can access your 'Pi he can access your data on the card if you left it in! Model B will need to be smarter.... Not having an RTC doesn't help either. Hopefully if you have network access, you will have access to some ntp server! But until all this is worked out this security "feature" should be disabled.

There is a comment in system-auth that it is autogenerated. Not sure what program does that but I checked that at least on one reboot it was not rebuilt.

User avatar
jojopi
Posts: 3079
Joined: Tue Oct 11, 2011 8:38 pm

Re: FYI: disabling strength checking/aging on the fedora image

Tue Mar 13, 2012 4:21 am

Bakul said:

Having to type the passwd and update it every time (and it had to be different each time) was rather annoying so I disabled it by commenting out the following line in /etc/pam.d/system-auth file (by putting # in the first column):
If you are forced to change your password other than on the first boot then I think the system is not working as intended.  I set a (weak) password on the first boot and have never needed to change it.  It does not matter if I boot with no network, or set the date to 1970 or 2038.

Are you booting in text or graphics mode?  At what point in the boot or login sequence did you need to update your password, and what was the exact wording of the relevant messages?

Your proposed fix should disable only the weak password tests and change nothing with regard to password ageing.  So if the requirement to update your password has gone away as well then I believe that is only a coincidence.

The weak password tests should not really be affecting people either.  They are not enforced in the firstboot script, and there should be little reason to change password at any other time.

Bakul Shah
Posts: 320
Joined: Sun Sep 25, 2011 1:25 am

Re: FYI: disabling strength checking/aging on the fedora image

Tue Mar 13, 2012 4:39 am

Booting in text mode (this is in qemu). As soon as I logged in, it asked for the passwd to be changed. I tried logging in as root as well as with another login userid -- this probably happened because date wasn't set. Anyway once was bad enough and I didn't bother with it anymore. Probably the aging requirements went away once I logged in, fixed up /etc/ntpd.conf (to point to a local NTP server) and changed both password. This fixed up the /etc/shadow password change time.

ssh login should not allow password authentication or remote root login. This way you can have a simple password for logging in over the console and secure login over ssh.

User avatar
nick.mccloud
Posts: 804
Joined: Sat Feb 04, 2012 4:18 pm

Re: FYI: disabling strength checking/aging on the fedora image

Tue Mar 13, 2012 8:01 am

The problem stems from not having the date/time set - so your password ages as soon as you login.

With a network connection this isn't a problem.

This is definitely a wrinkle that will need ironing out.

User avatar
jojopi
Posts: 3079
Joined: Tue Oct 11, 2011 8:38 pm

Re: FYI: disabling strength checking/aging on the fedora image

Tue Mar 13, 2012 8:49 am

nmcc said:


The problem stems from not having the date/time set - so your password ages as soon as you login.

With a network connection this isn't a problem.

This is definitely a wrinkle that will need ironing out.


Ok, yes, there is a issue with the remix.  It is not password ageing in the usual sense -- that is not enabled.  The problem is that shadow-utils treats 1970-01-01 magically:# chage -d 1970-01-02 $USER && chage -l $USER
Last password change : Jan 02, 1970
Password expires : never
# chage -d 1970-01-01 $USER && chage -l $USER
Last password change : password must be changed
Password expires : password must be changed

So, prior to running ntpdate, which might fail, the init scripts should set the date to anything but 1970-01-01.  2012-02-29 06:00:00 UTC perhaps?

XAPBob
Posts: 91
Joined: Tue Jan 03, 2012 2:40 pm

Re: FYI: disabling strength checking/aging on the fedora image

Tue Mar 13, 2012 10:04 am

I like the idea of using the Pi epoch

hippy
Posts: 5760
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: FYI: disabling strength checking/aging on the fedora image

Tue Mar 13, 2012 11:54 am

I'd prefer 2000-01-01 00:00:00 as being a more obvious 'non-date' that stands out more.

I'd also defensively choose something other than a leap year date. It shouldn't affect things, but ...

Bakul Shah
Posts: 320
Joined: Sun Sep 25, 2011 1:25 am

Re: FYI: disabling strength checking/aging on the fedora image

Tue Mar 13, 2012 4:24 pm

No, this is because Linux doesn"t do the right thing when there is no RTC. On bootup the kernel should set time to the last modified time from the rootfs superblock. Like in V7 unix! See iinit() in sys/main.c in V7 unix (you can browse them online now). If that is "too hard" just arbitrarily set the initial value of time to something recent.

carlosfm
Posts: 132
Joined: Fri Oct 21, 2011 3:23 pm
Location: Lisbon, Portugal

Re: FYI: disabling strength checking/aging on the fedora image

Wed Mar 14, 2012 3:08 pm

Ohh memories...

Back in the 80's I had an IBM PC XT with a whooping 10MB HDD.

No RTC either, so in my M$-DOS autoexec.bat there were the following commands:

date

time

:')
Do you Pi?

Return to “General discussion”