[SOLVED] Help -- PAM password restrictions don't seem to be working

Nabana · 04-21-2010, 05:16 PM

I set some restrictions in /etc/pam.d/system-auth, but they don't seem to be affecting anything.

/etc/pam.d/passwd:

Code:

password    required     pam_cracklib.so   retry=3 minlen=8
password    required     pam_unix.so       md5 shadow use_authtok

/etc/pam.d/system-auth:

Code:

auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok 
auth        required      pam_deny.so

account     required      pam_unix.so

password    required      pam_cracklib.so try_first_pass retry=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minlen=8
password    sufficient    pam_unix.so try_first_pass use_authtok nullok md5 shadow remember=5
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

So even if I give a password that's less than 8 chars (which minlen=8) should prevent, it still takes it. The other uppercase/lowercase/digit/special character rules don't seem to do anything either.

Console:

Code:

admin1@box1$ passwd
Changing password for admin1
(current) UNIX password: 
New UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

/var/log/secure doesn't seem to show much except for "password changed for user":

Code:

Apr 21 22:10:49 passwd[1134]: pam_unix(passwd:chauthtok): username [admin1] obtained
Apr 21 22:10:59 passwd[1134]: pam_unix(passwd:chauthtok): username [admin1] obtained
Apr 21 22:10:59 passwd[1134]: pam_unix(passwd:chauthtok): password changed for admin1

Any ideas?

anomie · 04-21-2010, 05:35 PM

For your consideration: my comments on pam_cracklib vs. pam_passwdqc.

That said, what OS / version is this? Your /etc/pam.d/passwd config looks odd. On RHEL, for example, by default it should read -

Code:

...
password include system-auth

- rather than invoking pam_cracklib there and in the system-auth config.

unSpawn · 04-21-2010, 05:53 PM

...and adding /usr/share/doc/pam-${VERSION}/txts/README.pam_cracklib to that: minlen=N The minimum acceptable size for the new password (plus one if credits are not disabled which is the default).. So in your case, since credits are not disabled, minlen is actually $[${minlen}+1], right?

Nabana · 04-29-2010, 01:17 PM

I put the rules in pam.d/passwd instead of system-auth, and it works as expected. Not sure why it was originally set up like this, but that did the trick.