I have a Redhat 7.1 system that "seems to be using PAM" authentication (im not sure about that) but it wont let me make a password based on a mis-spelled dictionary word that has a numeric number in the middle of the password.

So, its a tiny bit too strict. I dont mind requiring password length or that it has upper or lower case chars but this "dictionary word" restriction is driving me nuts .

Can anyone tell me how to disable the dictionary word rule for passwords on a Redhat system?

thanks,
jon

Look in /etc/pam.d/common-password (this is at least where it is on newer distributions).

I don't have that file on Redhat 7.1 .


It looks like Redhat uses PAM 0.75-46.7.1

updates.redhat.com/7.1/en/os/SRPMS/pam-0.75-46.7.1.src.rpm

i may have figured it out. i think the cracklib.so needs to be passed this option. am i right?


minclass=N
The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required.

@mozkill: As you likely know, Redhat 7.1 is badly outdated and unsupported. Not to go too far down a tangent, but if you're interested in security, features, better community assistance, and (to some extent) stability you need to think about moving to a more recent RHEL, CentOS, or Fedora.

To speak directly to your question, you probably do need to tweak pam_cracklib.

To answer your question a different way, it's a rather strange request to ask how to set up your user accounts with worse (more easily crackable) passwords.

Consider this as an alternative - your new password scheme:

[movie] + [.] + [verb] + [.] + [hometown]

Example: donniedarko.sleep.newark

I tried something out as an experiment. I echoed some dictionary words through md5sum and then cut and pasted the md5sum hash result in google. I was able to get the plaintext word back, and this will sometimes work with "l33t" spelling and capitalization changes. This demonstrates the importance of using salt, and the danger of using a single dictionary word. I'm sure that there are rainbow tables out there that are even more comprehensive than what you will find on a webpage.

Also, using Redhat 7.1 is very irresponsible. Even RH 9.0 is too old. An nmap scan may be able to identify your distro and version. Your results will put a large grin on attackers faces. You are probably using old versions of applications and services that have known vulnerabilities.

I wanted to make a quick point about passwords also in addition to what everyone else has mentioned.

There's a reason they don't allow those kind of passwords-- they're trivial to crack... and were even several years ago, more so now.

Using "baseball" is no different effectively than using "baseba1l", a password cracker or distributed brute force attack will chew that to bits in short order even on a modern system.

If you have trouble remembering more complex passwords, I would suggest a program like Keepass. Once you get to using keepass or a similar password safe type program using a password like "Zt;ugKBWtmsY"?XtqGl3" is no more difficult than using a password like "baseba1l".

My Redhat 7.1 machine is safe behind a firewall. I'm not worried at all about stray hackers on the internet.

In any case, doesn't it make sense that for a server that uses Samba that the password rules should match the Windows XP systems that access the Samba share? That way they have seamless access by having matching passwords without having to alias anything.

I shouldn't even need to phrase that as a question. Its obviously true.

Wow!! That is the worst additude to have about security. I use $50+k sidewinder firewalls (which have never been hacked) and I have seen people get through them and into machines on the inside.

You should have a strong password on both the windows box and the linux box. The recommended password length and strength is 15 characters with a min of 2 upper 2 lower 2 special and 2 numbers and for a windows box is it recommended to use Alt-characters in your password.
There is currently no brute force for Alt-characters straight out-of-the-box.

using barswf http://3.14.by/en/md5

md5 can be broken very fast. With a quad core 3.2 and 2 nvidia 8800gt video cards i can brute force 600M/hashes a second. 200 million on the processor and 400 Million on the video cards.

Systems are getting faster and faster and the simple password algorithms and using weak passwords it just going to get your machine owned.

Considering it's not hard to set-up iptables to block an ip after say 5 failed logins, you'd block ips after 5 failed attempts so any type of brute force would fail automatically by that point. Or I believe it's possible to do things like cap password attempts to 3 every minute. However weak password management is asking for trouble, more so if you use things like normal FTP or unencrypted VNC connections. Generally when I see linux boxes compromised it's in other fashions then general brute force/dictionary attacks, still things to watch out for and properly configure the firewall/server against.

r3sistance: Blocking IP addresses after 5 failed logins would work in most cases, but some attackers control bot nets tens or even hundreds of thousands of bots strong and can easily attack thousands of targets simultaneously rotating the bots used on each target and letting the attack run for a long time. This type of attack is hard to detect automatically. This type of distributed attack is currently being used more and more against ssh. I would recommend using PublicKey authentication only as a defense. Other precautions like AllowUsers and having a from="patternlist" in your key files will help as well. Ssh access is normally used only for a handful of users and sites, which you can use to your advantage by being specific about who can access the service and from where. There is one disadvantage however, in that you can't enforce a policy that users protect their private keys with strong pass-phrases.

mozkill: It wouldn't be hard developing your own system to devise better passwords. For example, use two dictionary words, but remove the vowels from the second and enter it backwords. A simple idea of your own like this would allow you to devise complex passwords and be able to resort to the technique you use if you don't remember the exact password. I'm still firm in my opinion that you need to upgrade to a supported distro or version. I even wondered if you may have posted it just to goad responses. Sometimes if something sounds to bad to be true, it isn't true.