Chapter 6. Security and Authentication

Additional Password Checks for pam_cracklib

Red Hat Enterprise Linux 5.9 adds backported support for the maxclassrepeat and gecoscheck options to the pam_cracklib module. These options are used to check the properties of a new password entered by a user and reject it if it does not meet the specified limits. The maxclassrepeat option limits the maximum number of consecutive characters of the same character class (lower case, upper case, digits, and other characters). The gecoscheck option checks whether the newly-entered password contains words (space-separated strings) from the GECOS field in the /etc/passwd entry of the user that is entering the password. For more information, refer to the pam_cracklib(8) man page.

IPv6 Support for M2Crypto

The m2crypto package, which provides a library that allows programs to call OpenSSL functions from Python scripts, has been updated to modify the HTTPS implementation to work with both IPv4 and IPv6. In addition, the M2Crypto.SSL.Connection object can now be instructed to create IPv6 sockets.

Treating Matches Authoritatively in Look Ups of sudoers Entries

The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers entries and look them up in files or in LDAP. Previously, when a match was found in the first database of sudoers entries, the look up operation still continued in other databases (including files). In Red Hat Enterprise Linux 5.9, an option was added to the /etc/nsswitch.conf file that allows users to specify a database after which a match of a sudoers entry is sufficient. This eliminates the need to query any other databases; thus, improving the performance of sudoers entry look ups in large environments. This behavior is not enabled by default and must be configured by adding the [SUCCESS=return] string after a selected database. When a match is found in a database that directly precedes this string, no other databases are queried.