Per user message before system prompts for password
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Per user message before system prompts for password
Hello there,
My first question in the forum.
The problem I am trying to solve is displaying the password restriction (like password length, dcredit, etc. from PAM) when user password is expired. Ideally, if I could modify the password prompt, that would be perfect. I think that's impossible without recompiling some codes.
My 2nd thought would be putting password restriction in the 'login text' such as /etc/issue or /etc/motd. This would impact everyone.
Is there a way to display some text when user logs in before the password (or change of password) is prompted?
I think you're asking for a dialog that would provide "password rules" at change time. (Right?)
If so, consider the pam_passwdqc module as a replacement for pam_cracklib. It should be available in your distro's repository. Its dialog is similar to:
Code:
A valid password should be a mix of upper and lower case letters,
digits and other characters. You can use a 10 character long
password with characters from at least 3 of these 4 classes.
Characters that form a common pattern are discarded by the check.
A passphrase should be of at least 3 words, 15 to 40 characters
long and contain enough different characters.
I think you're asking for a dialog that would provide "password rules" at change time. (Right?)
If so, consider the pam_passwdqc module as a replacement for pam_cracklib. It should be available in your distro's repository. Its dialog is similar to:
Code:
A valid password should be a mix of upper and lower case letters,
digits and other characters. You can use a 10 character long
password with characters from at least 3 of these 4 classes.
Characters that form a common pattern are discarded by the check.
A passphrase should be of at least 3 words, 15 to 40 characters
long and contain enough different characters.
Yes, it's a great module. Just curious - what OS / version? (I'm wondering why it was not available in your distro's repositories.)
I was available but we never install (prm -i) it.
Now I have follow up questions, for pam_cracklib.so, I can specify minimum number of lower-case, upper-case, etc. How do I do that with pam_passwdqc? It seems that you cannot control per character class individually. Thoughts?
Yes, what you're saying is correct. You specify minimum lengths for passwords that contain n different character classes. (And/or minimum length for a passphrase.) You do not control the number of times each character class occurs in a password, exactly. Note that various weak password checks are performed, though.
I'd argue that this is a wiser approach, as your set of criteria (and, thus, the set of passwords that are usable) isn't as limited. This means a larger set of possible passwords - for both end users and those who would build password dictionaries.
Yes, what you're saying is correct. You specify minimum lengths for passwords that contain n different character classes. (And/or minimum length for a passphrase.) You do not control the number of times each character class occurs in a password, exactly. Note that various weak password checks are performed, though.
I'd argue that this is a wiser approach, as your set of criteria (and, thus, the set of passwords that are usable) isn't as limited. This means a larger set of possible passwords - for both end users and those who would build password dictionaries.
Anomie, thank for you help. One of the requirement we have is able to specify the minimum number of character class.
If you need to specify the minimum number of character classes, then pam_passwdqc can do it. If you need to specify the number of occurrences that must appear within each character class, then it's back to pam_cracklib, unfortunately.
In that case, you may be looking at Reuti's suggestion of pam_echo.
If you need to specify the minimum number of character classes, then pam_passwdqc can do it. If you need to specify the number of occurrences that must appear within each character class, then it's back to pam_cracklib, unfortunately.
In that case, you may be looking at Reuti's suggestion of pam_echo.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.