LinuxQuestions.org - [SOLVED] Failed to Implement Password Complexity using PAM ( Pluggable Authentication Module )

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Failed to Implement Password Complexity using PAM ( Pluggable Authentication Module ) (https://www.linuxquestions.org/questions/linux-security-4/failed-to-implement-password-complexity-using-pam-pluggable-authentication-module-846206/)

Failed to Implement Password Complexity using PAM ( Pluggable Authentication Module )

Hello,

I am new to unix systems. I have an assignment in which I need to implement a password complexity on CentOS 3.9 Final Serv. The Pluggable Authentication Module is installed in it. The requirements are as follows -
It should be 8 Char long
Should have atleast one lowercase, one uppercase, and one numerical char

I read many how-to and tutorial and came to conclusion that I need to edit /etc/pam.d/system-auth to get my work done. I also found out that I need to use pam_cracklib for that purpose.

Following is the screenshot of my system-auth file. http://img25.imageshack.us/img25/1508/centos.png

Now when I try to change the password of user account with weak password like 'passws' (without quote) it accepts which ideally it should not.

I need to use this version of CentOS for this assignment. So I can not upgrade it. Other thing is I do not know if my system uses PAM or not though it has /etc/pam.d dir. And if It does, how can I know which version of PAM it is running?

Please help me with it.

Thanks,
Rahil

Quote:

Originally Posted by Rahil Parikh (Post 4169149)

Hello,
I am new to unix systems. I have an assignment in which I need to implement a password complexity on CentOS 3.9 Final Serv. The Pluggable Authentication Module is installed in it. The requirements are as follows -
It should be 8 Char long
Should have atleast one lowercase, one uppercase, and one numerical char

I read many how-to and tutorial and came to conclusion that I need to edit /etc/pam.d/system-auth to get my work done. I also found out that I need to use pam_cracklib for that purpose. Following is the screenshot of my system-auth file. http://img25.imageshack.us/img25/1508/centos.png

Now when I try to change the password of user account with weak password like 'passws' (without quote) it accepts which ideally it should not. I need to use this version of CentOS for this assignment. So I can not upgrade it. Other thing is I do not know if my system uses PAM or not though it has /etc/pam.d dir. And if It does, how can I know which version of PAM it is running?

First, CentOS 3.9 is old...the latest is 5.5, so if you're missing some newer functions, it's not surprising. Second, are you changing the password as the root user?? Because root can set the password to be ANYTHING it wants, and bypasses the complexity rules. If you're logged in as root, and type in "passwd someuser foo", it'll set someuser's password to foo, regardless of what rules are set.

The CentOS forums even have a document telling you how to set this up, with the rules and explanations.
http://www.centos.org/docs/5/html/CD...rd_Policy.html

Hi TB0ne,

Thank you for your reply. I now understand that being root is like having no rules for you. So, when I tried the same thing with normal user account I could not set weak password.

Thank you very much for your help. :)

http://oss.tresys.com/projects/clip/...ownloadRelease

the PAM rpms listed in the link have a patch that enforces root to follow the same password requirements as the users.

here is the actual patch for enforcing root to follow the password reqs.

This is based on Linux-PAM-0.99.6.2.tar.bz2 source from RHEL 5

Code:

diff -ur ~/modules/pam_cracklib/pam_cracklib.c ./modules/pam_cracklib/pam_crackl

ib.c

--- ~/modules/pam_cracklib/pam_cracklib.c      2008-07-23 12:28:12.000000000 -0

400

+++ ./modules/pam_cracklib/pam_cracklib.c      2008-07-24 06:25:30.000000000 -0

400

@@ -96,6 +96,7 @@

        int try_first_pass;

        char prompt_type[BUFSIZ];

        char cracklib_dictpath[PATH_MAX];

+      int enforce_root;

 };



 #define CO_RETRY_TIMES  1

@@ -108,6 +109,7 @@

 #define CO_LOW_CREDIT  1

 #define CO_OTH_CREDIT  1

 #define CO_USE_AUTHTOK  0

+#define CO_ENFORCE_ROOT 0



 static int

 _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,

@@ -166,6 +168,8 @@

        } else if (!strncmp(*argv,"dictpath=",9)) {

            strncpy(opt->cracklib_dictpath, *argv+9,

                    sizeof(opt->cracklib_dictpath) - 1);

+        } else if (!strncmp(*argv,"enforce_root",12)) {

+                opt->enforce_root = 1;

        } else {

            pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);

        }

@@ -521,6 +525,7 @@

    strcpy(options.prompt_type,"UNIX");

    memset(options.cracklib_dictpath, 0,

          sizeof (options.cracklib_dictpath));

+    options.enforce_root = CO_ENFORCE_ROOT;



    ctrl = _pam_parse(pamh, &options, argc, argv);



@@ -620,7 +625,7 @@

                if (ctrl && PAM_DEBUG_ARG)

                    pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);

                pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg);

-                if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))

+                if (getuid() || options.enforce_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))

                    retval = PAM_AUTHTOK_ERR;

                else

                    retval = PAM_SUCCESS;

@@ -631,7 +636,7 @@

                    retval = _pam_unix_approve_pass(pamh,ctrl,&options,

                                                oldtoken,token1);

                    if (retval != PAM_SUCCESS) {

-                        if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))

+                        if (getuid() || options.enforce_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))

                            retval = PAM_AUTHTOK_ERR;

                        else

                            retval = PAM_SUCCESS;

Quote:

Originally Posted by Rahil Parikh

I read many how-to and tutorial and came to conclusion that I need to edit /etc/pam.d/system-auth to get my work done. I also found out that I need to use pam_cracklib for that purpose.

Alternatively, the far-superior (IMHO!) pam_passwdqc(8) package can be installed from the CentOS repos and utilized for this purpose. It comes with a nice little option that allows you to enforce rules for root - or not.