[Pkg-shadow-devel] Bug#87301: Clues about PASS_MAX_LEN in login.defs and "max=" setting in PAM

Nicolas François nicolas.francois@centraliens.net
Thu, 21 Apr 2005 22:16:16 +0200 

On Thu, Apr 21, 2005 at 06:54:31PM +0200, Christian Perrier wrote:
> Please read #87301....
> 
> I'm trying to investigate it but indeed I'm having hard times at
> understanding the real meaning of PASS_MAX_LEN in login.defs and the
> meaning of "max=" setting to pam_unix.so
> 
> According to the comment we have in /etc/login.defs:
> 
> # Number of significant characters in the password for crypt().
> # Default is 8, don't change unless your crypt() is better.
> # If using MD5 in your PAM configuration, set this higher.
> #
> PASS_MAX_LEN            8
> 
> 
> That would mean to choosing "12345678" or "123456789" should lead to
> the same hash in /etc/shadow. But it does not.

I've also tested, and the PASS_MAX_LEN is not taken into account (and it
is not due to the salt used for the shadow entry).


I'm not surprised since using MD5 passwords is a way to use very long
passwords.


I've checked in the source (only Debian's source):
in libmisc/obscure.c (only used if PAM is disabled, which is not the case
for Debian's passwd):
    if (getdef_bool("MD5_CRYPT_ENAB"))
        return NULL;  /* unlimited password length */

    maxlen = getdef_num("PASS_MAX_LEN", 8);

in src/passwd.c (in a section used if PAM is disabled, which is not the case
for Debian's passwd):
    if (getdef_bool ("MD5_CRYPT_ENAB"))
        pass_max_len = 127;
    else
        pass_max_len = getdef_num ("PASS_MAX_LEN", 8);

So the answer is in PAM, and the behavior without PAM is not to
check this parameter, but use unlimited passwords (or 127 bytes).

> Indeed, This setting just seems to do...nothing.
> 
> Same for what we have in /etc/pam.d/common-password (included for passwd):
> 
> password   required   pam_unix.so nullok obscure min=4 max=8 md5
> 
> But here, I'm never enforced to passwords below 8 chars....
> 
> So, I'm completely puzzled....:)

I had a quick look at the pam_unix source.
It seems the max= argument is only used by obscure (the passwords are cut
at the maximum length of a password before checking if it is secure
enough).

This looks like a documentation issue to me, for shadow and PAM.
(I've not checked more recent versions of shadow and PAM).

IMO, PASS_MAX_LEN can be moved to the end of login.defs with PASS_MIN_LEN.

More investigation may be required before rewriting the comments on
/etc/pam.d/common-password

-- 
Nekral