LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-13-2006, 09:52 AM   #1
pasupuleti
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Rep: Reputation: 15
password complexity


hi i was told initially to make changes in /etc/pam.d/system-auth config file for complexity(lcredit=-1,uccredit=1,lccredit=1.....)this is not working on my system.

i have Fedora core release 3(Heidelberg)

kernel 2.6.9-1.667 on 1686.

is there any other procedure to achieve complexity?
 
Old 09-13-2006, 10:37 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,720
Blog Entries: 54

Rep: Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968
this is not working on my system.
- what where the errors?
- did you try in debugmode?
- how did you test?
- what are the contents of you /etc/pam.d/system-auth?
 
Old 09-14-2006, 01:34 AM   #3
pasupuleti
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Original Poster
Rep: Reputation: 15
hi.these are the contents of my /etc/pam.d/system-auth config file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=6 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=-2

password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

i set the parameters minlen,dcredit,ucredit,lcredit,ocredit,difok to their values.
minlen is working fine.but when i created a new user and
set the password as 'aaaaaa',it is being accepted.it should not isn't it?bcoz the password:

* Must be at least 6 characters and utmost 12 characters
* Must contain at least one one lower case letter, one upper case letter, one digit and one special character
* Valid special characters are - @#$%^&+=
what do i do now???
 
Old 09-14-2006, 06:36 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,720
Blog Entries: 54

Rep: Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=6 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=-2
AFAIK the docs say nothing about using negative values, only integers.


when i created a new user and set the password as 'aaaaaa',it is being accepted.it should not isn't it?
Yes it should since you're root.


what do i do now?
This should work. Touch /etc/security/opasswd to enable remembering used passes. Now if there's a possibility for them to hand you an initial password you could set that, else set one yourself. Then expire the account, forcing them to set a new one on login. The cracklib settings should apply now.
 
Old 09-14-2006, 07:53 AM   #5
pasupuleti
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Original Poster
Rep: Reputation: 15
hi sir.well actually i m not logging in as root but as the new user i created and yet the password gets accepted in whichever fashion i give.

also the file /etc/security/opasswd is empty in my system(no such thing as remembering used passes).

finally what values should i set,if not negative values
in /etc/pam.d/system-auth?
 
Old 09-14-2006, 08:35 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,720
Blog Entries: 54

Rep: Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968Reputation: 2968
finally what values should i set,if not negative values in /etc/pam.d/system-auth?
Try positive, whole values.
 
Old 09-15-2006, 01:20 AM   #7
pasupuleti
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Original Poster
Rep: Reputation: 15
hi sir.thanks for your help so far.i've tried positive values as well.still doesn't work.what to do next??
 
Old 09-17-2006, 07:19 AM   #8
kingka
Member
 
Registered: Aug 2003
Location: mechelen (belgium)
Distribution: debian gnu/linux (sid)
Posts: 99

Rep: Reputation: 15
Quote:
Originally Posted by unSpawn
finally what values should i set,if not negative values in /etc/pam.d/system-auth?
Try positive, whole values.
It should work with negative values:
dcredit=-1 - minimum one digit
ucredit=-1 - minimum one uppercase letter
lcredit=-1 - minimum one lowercase letter
ocredit=-1 - minimum one 'other' character

I am using debian and added the following two lines to /etc/pam.d/common-password

password required pam_cracklib.so retry=3 minlen=7 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
password required pam_unix.so use_authtok nullok md5

I am not an expert on this but have you looked in the /etc/pam.d directory for a file called passwd? The file /etc/pam.d/passwd should have the following line to include the rules in /etc/pam.d/common-password
@include common-password
(or maybe in your case @include system-auth)

kind regards,

kingka
 
Old 09-18-2006, 01:34 AM   #9
pasupuleti
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Original Poster
Rep: Reputation: 15
hi sir.these are the contents of my /etc/pam.d/passwd file:

#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth

As you can see,there is no @include system-auth.
what is to be done now??

also one more important thing sir,in the config file,
/etc/pam.d/system-auth,it is mentioned in the beginning like this:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

Is it something to do with this?If so,what is to be done?

Any help would be greatly appreciated??thank u
 
Old 09-18-2006, 02:19 AM   #10
kingka
Member
 
Registered: Aug 2003
Location: mechelen (belgium)
Distribution: debian gnu/linux (sid)
Posts: 99

Rep: Reputation: 15
Got this from google: "Authconfig is a terminal mode program which can configure a workstation to use shadow passwords."
So I guess authconfig is only run when you install/upgrade the shadow suite.

My common-password file has only the 2 rules I told about in my previous post, while your system-auth file has other things in it as well.
Maybe you should create a new file in /etc/pam.d (say common-password) and include that file in /etc/pam.d/passwd or you can add the 2 rules directly in /etc/pam.d/passwd instead of using @include

Ah and your /etc/pam.d/passwd didn't say anything about being auto-generated? So it's probably your best option to use another config file or passwd directly and not system-auth.

Last edited by kingka; 09-18-2006 at 02:23 AM.
 
Old 09-18-2006, 03:49 AM   #11
pasupuleti
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Original Poster
Rep: Reputation: 15
hello sir.thanks for your help so far.But i think u missed a statement there.i clearly mentioned in my previous post that there is this statement in /etc/pam.d/system-auth:

#This file is auto-generated.
#user changes will be destroyed the next time authconfig is run

also what are the two rules you are talking about?

you only asked me to include @include system-auth in
/etc/pam.d/passwd
 
Old 09-18-2006, 04:11 AM   #12
kingka
Member
 
Registered: Aug 2003
Location: mechelen (belgium)
Distribution: debian gnu/linux (sid)
Posts: 99

Rep: Reputation: 15
Enter these two lines in /etc/pam.d/passwd :

password required pam_cracklib.so retry=3 minlen=7 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
password required pam_unix.so use_authtok nullok md5

You shouldn't have '@include system-auth' in /etc/pam.d/passwd if you enter the rules in /etc/pam.d/passwd itself.

Reboot.
Change your password with passwd and see if it still accepts simple passwords.
 
Old 09-18-2006, 06:32 AM   #13
pasupuleti
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Original Poster
Rep: Reputation: 15
still doesn't work sir.i've done exactly as u told me to.
after rebooting i create a new user as 'user1' and a new password which is 'xxxxxxx'and its getting accepted.it should not accept this password isn't it?i am even able to login with this new username and password.

what do i do now?
 
Old 09-18-2006, 07:03 AM   #14
kingka
Member
 
Registered: Aug 2003
Location: mechelen (belgium)
Distribution: debian gnu/linux (sid)
Posts: 99

Rep: Reputation: 15
Login as the user you have just created.
Enter passwd to change the user's password and see if you can still choose a simple password such as 'xxxxxx'.

Why I ask you this?
By adding the rules to /etc/pam.d/passwd the rules only apply to the passwd command. Not to commands used to create new users (e.g. useradd).
 
Old 09-19-2006, 05:37 AM   #15
pasupuleti
LQ Newbie
 
Registered: Sep 2006
Posts: 24

Original Poster
Rep: Reputation: 15
ok seems to me like its working.thanks very much for your help sir.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
password complexity moinpasha Linux - Security 11 09-13-2006 11:53 PM
password complexity moinpasha Programming 1 09-12-2006 06:24 AM
Setting password complexity Harry Seldon Linux - General 1 08-04-2006 03:33 PM
Howto change system password policies (passwd length, complexity) tisource Linux - Security 3 09-06-2005 01:01 AM
Linux PAM minimum password and complexity reemo73 Linux - Software 3 06-01-2005 04:22 PM


All times are GMT -5. The time now is 04:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration