Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have read many posts on this forum about using -1 for the lcredit, ucredit, dcredit, and ocredit in the system-auth file (on the pam_cracklib.so line). This is not working for me. I currently have the following:
However, I have tried many other combinations as well. I just created a password "testhello" and I was able to login. I shouldn't have been able to. I am doing this on RedHat 8.0 and RedHat 9.0. I read that the -1's aren't supported on earlier versions of Linux, but people on this forum have had success using them on RedHat 9.0. Anyone have any ideas? Thanks in advance.
It should work on RH 9 (in fact I just tried it and it worked). Not sure exactly what you are doing wrong, but keep in mind that if you are root and create the password for that user, then you can make it anything you want (regardless of the cracklib settings). You'll still see the hard-coded "password too short" message if you use a short password, but it will still let you use it. You won't even see the cracklib warnings like "too simple" at all. However, if you log in as that user and try to change the passwd, all the cracklib requirements will apply.
Well, here's the thing. I want to set a password for the user that I pick. I will give that password to the user, but when he/she enters the username/password I want the system to force them to change it. When they are changing it, or anytime in the future I want them to change it, I want the password rules to apply. What do I need for this to happen? Thanks.
It forces the user to change his/her own password, but doesn't apply the cracklib rules. The user can change it to whatever he/she wants as long as it doesn't break the built-in rules such as a minlength of 4.
So, I essentially have 2 problems. The first is that I can't figure out how to set a password for the user, allow him to enter it, then have the system require him to change it.
Second, crackbib settings aren't applying when the user does change it.
The problem here is that you are setting an empty password, and as a result, passwd (or the expiration code) is not prompting for an "old password" nor is it providing that information to pam_cracklib. Without that information, certain pam_cracklib checks (looking for trivial changes to password, but also all the minlen and credit computations for "simple" passwords) is not performed.
Note that for root, even if the password is not empty, no prompt is ever made for the old password, so these strength checks are not performed on the root password (which is kind of stupid, considering that it is the one password that most needs to be strong).
But for your normal, non-root users, just set a password like "ChangeMe!" and expire it, and since they will (should be?) be prompted for the old password, the strngth checks you specify should take effect.
You may have already figured this out, but since I found your thread when trying to understand why it wasn't working for my root user account, I figured it would be helpful to have the answer recorded.