Dear Group members/list,
I would like to know the place where I can find the linux password
constraints for the various linux flavors. What I mean is the details like
number of key spaces or the key length, the types of charactors that can
be used, the restrictions and the number of times the password can be
tried if not infinite, etc. I am in need of these details very urgently,
so please do help me on this topic.
Thank you in advance for your time and consideration.
Yours Sincerely,
R.S.Shyaam Sundhar
This is configurable on pretty much all Linux systems via PAM. With a
reasonably modern system and PAM there are very few constraints (anything in
the last few years). Using the standard unix /etc/passwd and whatnot I have
user names such as "foo-bazsomething-bar.knucklehead" with pretty complex
passwords (pretty much anything/any length goes since the passwords are
hashed). If you are using say LDAP or SMB backends there may be some
limitations but in general nothing to worry about. For usernames the general
rule of thumb is:
a-z
A-Z
0-9
.
-
and a few other characters are allowed as well but the above is pretty much
all most people use. As far as account lockout/etc this again is
configurable via PAM. Most Linux systems do not use account lockouts by
default (this can lead to an easy denial of service) but instead delay
password guessing attempts from the same connection and/or only give three
tries before dropping the connection. I suggest you read about PAM:
http://www.samag.com/documents/s=1161/sam0009a/0009a.htm
-Kurt Seifried
http://seifried.org/security/
