LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   pam_cracklib.so "-1" NOT working (https://www.linuxquestions.org/questions/linux-security-4/pam_cracklib-so-1-not-working-329291/)

scottjwoodford 06-01-2005 03:34 PM
pam_cracklib.so "-1" NOT working
 
I have read many posts on this forum about using -1 for the lcredit, ucredit, dcredit, and ocredit in the system-auth file (on the pam_cracklib.so line). This is not working for me. I currently have the following:

password requisite /lib/security/$ISA/pam_cracklib.so retry=5 minlen=11 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

However, I have tried many other combinations as well. I just created a password "testhello" and I was able to login. I shouldn't have been able to. I am doing this on RedHat 8.0 and RedHat 9.0. I read that the -1's aren't supported on earlier versions of Linux, but people on this forum have had success using them on RedHat 9.0. Anyone have any ideas? Thanks in advance.

Capt_Caveman 06-01-2005 11:24 PM
It should work on RH 9 (in fact I just tried it and it worked). Not sure exactly what you are doing wrong, but keep in mind that if you are root and create the password for that user, then you can make it anything you want (regardless of the cracklib settings). You'll still see the hard-coded "password too short" message if you use a short password, but it will still let you use it. You won't even see the cracklib warnings like "too simple" at all. However, if you log in as that user and try to change the passwd, all the cracklib requirements will apply.

scottjwoodford 06-02-2005 07:49 AM
Well, here's the thing. I want to set a password for the user that I pick. I will give that password to the user, but when he/she enters the username/password I want the system to force them to change it. When they are changing it, or anytime in the future I want them to change it, I want the password rules to apply. What do I need for this to happen? Thanks.

scottjwoodford 06-02-2005 08:19 AM
Also, I see what you're saying, but I'm not assigning a password with root. I'm actually just expiring the account like this:


usermod –L username
chage –d 0 username
usermod –p “” username

It forces the user to change his/her own password, but doesn't apply the cracklib rules. The user can change it to whatever he/she wants as long as it doesn't break the built-in rules such as a minlength of 4.

So, I essentially have 2 problems. The first is that I can't figure out how to set a password for the user, allow him to enter it, then have the system require him to change it.

Second, crackbib settings aren't applying when the user does change it.

alex.dupuy 08-14-2006 09:27 AM
pam_cracklib minlen/credits requires old password
 
The problem here is that you are setting an empty password, and as a result, passwd (or the expiration code) is not prompting for an "old password" nor is it providing that information to pam_cracklib. Without that information, certain pam_cracklib checks (looking for trivial changes to password, but also all the minlen and credit computations for "simple" passwords) is not performed.

Note that for root, even if the password is not empty, no prompt is ever made for the old password, so these strength checks are not performed on the root password (which is kind of stupid, considering that it is the one password that most needs to be strong).

But for your normal, non-root users, just set a password like "ChangeMe!" and expire it, and since they will (should be?) be prompted for the old password, the strngth checks you specify should take effect.

@alex

You may have already figured this out, but since I found your thread when trying to understand why it wasn't working for my root user account, I figured it would be helpful to have the answer recorded.


All times are GMT -5. The time now is 07:28 PM.