[BlueOnyx:06874] Re: Disable Strong Passwords

Michael Stauber mstauber at blueonyx.it
Fri Apr 1 15:21:06 -05 2011 

Hi Samuel,

> I just want to let you all know I am also against doing this, but it is 
> my client that wants it.

Yeah, that's fine, don't worry. You can tell you client that Team BlueOnyx 
won't let him use weak passwords. ;o)

Between you and me (and everyone who reads the list): Yes, the strong password 
support in BlueOnyx can be deactivated. But it's not just one switch or one 
config line that needs to be changed. It involves messing with a lot of 
different bits and pieces of code all over the place. You'd have to "fix" 
several PHP pages, would need to modify some Perl handlers and constructors, 
would need to change some PAMd config files and what not. From the top of my 
head even I don't remember all the details that were involved and would have 
to read back up on it in SVN to trace all the required changes.

But even if you'd go through the extra mile to throw away the secure password 
support: Sooner or later there will be a YUM update that will undo some or all 
of your modifications. Possibly in a way that then buggers authentication 
entirely and renders the box useless.

If I had a hosting client who came to me with such a request, I'd probably 
insist on him buying or renting his own dedicated server or separate VPS and 
would offload the administration, the handling of backups and all 
responsibility for the integrity of the box to him. I'd also keep a templated 
"Haha, told you so!" email ready to send to him once the box gets hacked 
<shrug>.

If someone really insists on using weak passwords, he can still do so from the 
command line, of course. Once a user has been created through the GUI with a 
secure password, you can use "passwd <username>" to change the password on the 
command line, provided that user has shell access (he can then change his own 
password that way). User "root" can - of course - change anyones password. 

During command line password changes the password strength check only warns 
about weak passwords, but it'll still take (almost) any password regardless of 
how weak it is. I think it only has to be long enough, so a three character 
password won't work.

-- 
With best regards

Michael Stauber
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20110401/894a01e2/attachment.html>

More information about the Blueonyx mailing list