LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 08-30-2011, 06:47 PM   #1
ltrinh
LQ Newbie
 
Registered: Aug 2011
Posts: 6

Rep: Reputation: Disabled
Per user message before system prompts for password


Hello there,
My first question in the forum.

The problem I am trying to solve is displaying the password restriction (like password length, dcredit, etc. from PAM) when user password is expired. Ideally, if I could modify the password prompt, that would be perfect. I think that's impossible without recompiling some codes.

My 2nd thought would be putting password restriction in the 'login text' such as /etc/issue or /etc/motd. This would impact everyone.

Is there a way to display some text when user logs in before the password (or change of password) is prompted?

TIA.

Larry
 
Old 08-30-2011, 07:49 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I think you're asking for a dialog that would provide "password rules" at change time. (Right?)

If so, consider the pam_passwdqc module as a replacement for pam_cracklib. It should be available in your distro's repository. Its dialog is similar to:
Code:
A valid password should be a mix of upper and lower case letters,
digits and other characters.  You can use a 10 character long
password with characters from at least 3 of these 4 classes.
Characters that form a common pattern are discarded by the check.
A passphrase should be of at least 3 words, 15 to 40 characters
long and contain enough different characters.
 
Old 08-30-2011, 08:00 PM   #3
ltrinh
LQ Newbie
 
Registered: Aug 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
Smile

Quote:
Originally Posted by anomie View Post
I think you're asking for a dialog that would provide "password rules" at change time. (Right?)

If so, consider the pam_passwdqc module as a replacement for pam_cracklib. It should be available in your distro's repository. Its dialog is similar to:
Code:
A valid password should be a mix of upper and lower case letters,
digits and other characters.  You can use a 10 character long
password with characters from at least 3 of these 4 classes.
Characters that form a common pattern are discarded by the check.
A passphrase should be of at least 3 words, 15 to 40 characters
long and contain enough different characters.
Thanks anomie. I'll give it a shot.
 
Old 09-01-2011, 03:00 PM   #4
ltrinh
LQ Newbie
 
Registered: Aug 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ltrinh View Post
Thanks anomie. I'll give it a shot.
I had to download the pam_passwdqc rpm, but it works.

Thanks a bunch.
 
Old 09-01-2011, 03:16 PM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Yes, it's a great module. Just curious - what OS / version? (I'm wondering why it was not available in your distro's repositories.)
 
Old 09-01-2011, 03:58 PM   #6
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
There is also pam_echo to display text (man pam_echo).
 
Old 09-01-2011, 04:25 PM   #7
ltrinh
LQ Newbie
 
Registered: Aug 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by anomie View Post
Yes, it's a great module. Just curious - what OS / version? (I'm wondering why it was not available in your distro's repositories.)
I was available but we never install (prm -i) it.

Now I have follow up questions, for pam_cracklib.so, I can specify minimum number of lower-case, upper-case, etc. How do I do that with pam_passwdqc? It seems that you cannot control per character class individually. Thoughts?
 
Old 09-01-2011, 05:57 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Documentation is in the pam_passwdqc(5) manpages, and here:

http://www.openwall.com/passwdqc/README.shtml

Yes, what you're saying is correct. You specify minimum lengths for passwords that contain n different character classes. (And/or minimum length for a passphrase.) You do not control the number of times each character class occurs in a password, exactly. Note that various weak password checks are performed, though.

I'd argue that this is a wiser approach, as your set of criteria (and, thus, the set of passwords that are usable) isn't as limited. This means a larger set of possible passwords - for both end users and those who would build password dictionaries.

Last edited by anomie; 09-01-2011 at 05:59 PM.
 
Old 09-01-2011, 06:29 PM   #9
ltrinh
LQ Newbie
 
Registered: Aug 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by anomie View Post
Documentation is in the pam_passwdqc(5) manpages, and here:

http://www.openwall.com/passwdqc/README.shtml

Yes, what you're saying is correct. You specify minimum lengths for passwords that contain n different character classes. (And/or minimum length for a passphrase.) You do not control the number of times each character class occurs in a password, exactly. Note that various weak password checks are performed, though.

I'd argue that this is a wiser approach, as your set of criteria (and, thus, the set of passwords that are usable) isn't as limited. This means a larger set of possible passwords - for both end users and those who would build password dictionaries.
Anomie, thank for you help. One of the requirement we have is able to specify the minimum number of character class.
 
Old 09-01-2011, 09:26 PM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
If you need to specify the minimum number of character classes, then pam_passwdqc can do it. If you need to specify the number of occurrences that must appear within each character class, then it's back to pam_cracklib, unfortunately.

In that case, you may be looking at Reuti's suggestion of pam_echo.
 
Old 09-02-2011, 12:03 AM   #11
ltrinh
LQ Newbie
 
Registered: Aug 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by anomie View Post
If you need to specify the minimum number of character classes, then pam_passwdqc can do it. If you need to specify the number of occurrences that must appear within each character class, then it's back to pam_cracklib, unfortunately.

In that case, you may be looking at Reuti's suggestion of pam_echo.
Thanks anomie and reuti. I'll look into pam_echo.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
User friendly message to user on password changing tanveer Linux - General 2 02-24-2009 07:56 AM
(Samba 3.0.20) Vista prompts for username, XP prompts just for password Noffie Linux - Server 2 07-21-2008 10:26 AM
KNetworkManager always prompts for password twice TechnoJunky Linux - Networking 2 02-03-2008 04:40 PM
Evolution: prompts password for user account tanveer Ubuntu 5 01-21-2008 07:06 AM
passwd prompts for new password only once when a short password is entered powah Linux - Security 0 09-19-2007 04:20 PM


All times are GMT -5. The time now is 07:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration