LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-19-2013, 03:15 AM   #1
dagvaktin
LQ Newbie
 
Registered: Sep 2013
Distribution: CENTOS 6
Posts: 3

Rep: Reputation: Disabled
Help With Password Complexity and pam_passwdqc


Hi,

I've been experimenting with pam_passwdqc in an attempt to enforce some password policies but cannot quite seem to get it to work for me.

I basically want passwords with a minimum length of 12 chars using a combination of at least 3 out of 4 from a list of lowercase, uppercase, numbers and other characters.

From reading up on manpages, trawling through the internet and lots of trial and error, this is what I came up with for /etc/pam.d/system-auth :

Code:
password    requisite	   pam_passwdqc.so min=disabled,disabled,disabled,12,12 max=30 match=0 random=0 retry=3 enforce=everyone
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
The problem I have is that from what I can tell, the following 2 passwords should work but don't :

SeeBeh!Cheem
SeeBeh!Ch33m

Both give the same result :

Code:
A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use a 12 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used,
unless disable_firstupper_lastdigit_check option is enabled.

Enter new password:
Weak password: not enough different characters or classes.
I've probably gone through nearly every parameter there is for this and am beginning to tear my hair out.

If anyone has any clue about this, I would be most grateful.

Thanks,
Sean
 
Old 09-19-2013, 08:46 PM   #2
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,169
Blog Entries: 4

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
Try escaping ! or not using it at all.
It is generally a train-wreck waiting to happen.

Code:
SeeBeh\!Cheem
SeeBeh\!Ch33m
Just an idea.
 
Old 09-20-2013, 01:35 AM   #3
dagvaktin
LQ Newbie
 
Registered: Sep 2013
Distribution: CENTOS 6
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
Try escaping ! or not using it at all.
It is generally a train-wreck waiting to happen.

Code:
SeeBeh\!Cheem
SeeBeh\!Ch33m
Just an idea.
Thanks but I don't think that works.

Tried escaping the ! as you suggested, but got the same result. I also tried using *,@,+ and [ in place of the exclamation mark (!) but all of them produced the same error each time.
 
Old 09-20-2013, 10:14 AM   #4
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,169
Blog Entries: 4

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
Bummer.
http://www.linuxquestions.org/questi...lexity-483084/
and/or
http://www.cyberciti.biz/faq/rhel-fe...ality-control/
should offer some further guidance, if not someone else here.

Sorry I couldn't help.
 
Old 09-20-2013, 10:30 AM   #5
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,125

Rep: Reputation: 544Reputation: 544Reputation: 544Reputation: 544Reputation: 544Reputation: 544
Try "SeeBeh@!Cheem+"

I bet it wants 3 characters of each class... The example has 3 upper case, 8 lower case, but only 1 special character (the !).
 
Old 09-23-2013, 02:00 AM   #6
dagvaktin
LQ Newbie
 
Registered: Sep 2013
Distribution: CENTOS 6
Posts: 3

Original Poster
Rep: Reputation: Disabled
Gave up on pam_passwdqc

Thanks to all who posted suggestions and help here. I eventually solved the problem but in order to do so, I used pam_cracklib.so instead. This requires a little explanation :

Originally, I tried using pam_cracklib.so but discovered that it apparently only worked for non-root users. That was a problem because password policy enforcement for root was something I needed. So I turned to pam_passwdqc.so as that was supposed to support password complexity for root.

Having gone around in circles and basically strangled myself trying to get pam_passwdqc.so to work, I found out today that the enforcement of password complexity for root is actually supported in the latest version of pam_cracklib.so. So feeling like a twit, I managed to get what I wanted working using pam_cracklib.so in the end.

I am posting my solution here, in case anybody else wants to get this to work. Sort of makes the pain I went through sort of worth it .

This is for CENTOS 6/RHEL6 and provides :

- a minimum password length of 12 characters
- password complexity - 3 out of 4 character types of (lowercase, uppercase, numerical digits, other symbols)
- the ability to remember the last 5 passwords entered
- policies are enforce for root

Code:
password    required      pam_cracklib.so retry=3 minlen=12 difok=3 minclass=3 lcredit=0 ucredit=0 dcredit=0 ocredit=0 enforce_for_root
password    required      pam_pwhistory.so use_authtok remember=3 enforce_for_root use_authtok
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
Note that the version of PAM you are running should be at least 1.1.1-13. Previous versions apparently have some bugs that prevent the enforcement of the policies on root. See here for more details on that :

http://rhn.redhat.com/errata/RHSA-2013-0521.html

Thanks again,
Sean
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Configuring password complexity using pam_passwdqc.so Westmoreland Linux - Enterprise 4 11-08-2012 01:01 PM
[SOLVED] Password History using pam_passwdqc.so and pam_unix.so Viswes_B Linux - Newbie 5 04-19-2011 07:39 AM
[SOLVED] Password History In Ubuntu (pam_passwdqc.so) ajayan Linux - Newbie 3 02-23-2011 10:32 PM
bash script to test string complexity (like password complexity) robertjinx Linux - Server 2 05-12-2010 02:58 PM
password complexity with pam_passwdqc.so VMSlives Linux - Security 4 03-30-2009 03:19 PM


All times are GMT -5. The time now is 06:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration