Subject: Re: Chapter 8 security
To: Curt Sampson <cjs@cynic.net>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: current-users
Date: 04/18/2004 03:35:23
On Sun, Apr 18, 2004 at 01:55:27PM +0900, Curt Sampson wrote:
> On Fri, 16 Apr 2004, Thor Lancelot Simon wrote:
> 
> > If I were the auditor-from-hell, I'd probably insist that this requirement
> > be enforced *by crypt(3)*....
> 
> If you're go all the way with this, even that might not be good enough.
> What is there to stop someone from making the password hash of a poor
> pasword on another machine and using vipw to set it?

Precisely that crypt(3) sees the *input* to the hash, and can enforce
arbitrary restrictions on it.

Thor