Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi i was told initially to make changes in /etc/pam.d/system-auth config file for complexity(lcredit=-1,uccredit=1,lccredit=1.....)this is not working on my system.
i have Fedora core release 3(Heidelberg)
kernel 2.6.9-1.667 on 1686.
is there any other procedure to achieve complexity?
this is not working on my system.
- what where the errors?
- did you try in debugmode?
- how did you test?
- what are the contents of you /etc/pam.d/system-auth?
hi.these are the contents of my /etc/pam.d/system-auth config file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
i set the parameters minlen,dcredit,ucredit,lcredit,ocredit,difok to their values.
minlen is working fine.but when i created a new user and
set the password as 'aaaaaa',it is being accepted.it should not isn't it?bcoz the password:
* Must be at least 6 characters and utmost 12 characters
* Must contain at least one one lower case letter, one upper case letter, one digit and one special character
* Valid special characters are - @#$%^&+=
what do i do now???
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=6 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=-2
AFAIK the docs say nothing about using negative values, only integers.
when i created a new user and set the password as 'aaaaaa',it is being accepted.it should not isn't it?
Yes it should since you're root.
what do i do now?
This should work. Touch /etc/security/opasswd to enable remembering used passes. Now if there's a possibility for them to hand you an initial password you could set that, else set one yourself. Then expire the account, forcing them to set a new one on login. The cracklib settings should apply now.
finally what values should i set,if not negative values in /etc/pam.d/system-auth?
Try positive, whole values.
It should work with negative values:
dcredit=-1 - minimum one digit
ucredit=-1 - minimum one uppercase letter
lcredit=-1 - minimum one lowercase letter
ocredit=-1 - minimum one 'other' character
I am using debian and added the following two lines to /etc/pam.d/common-password
I am not an expert on this but have you looked in the /etc/pam.d directory for a file called passwd? The file /etc/pam.d/passwd should have the following line to include the rules in /etc/pam.d/common-password
@include common-password
(or maybe in your case @include system-auth)
Got this from google: "Authconfig is a terminal mode program which can configure a workstation to use shadow passwords."
So I guess authconfig is only run when you install/upgrade the shadow suite.
My common-password file has only the 2 rules I told about in my previous post, while your system-auth file has other things in it as well.
Maybe you should create a new file in /etc/pam.d (say common-password) and include that file in /etc/pam.d/passwd or you can add the 2 rules directly in /etc/pam.d/passwd instead of using @include
Ah and your /etc/pam.d/passwd didn't say anything about being auto-generated? So it's probably your best option to use another config file or passwd directly and not system-auth.
hello sir.thanks for your help so far.But i think u missed a statement there.i clearly mentioned in my previous post that there is this statement in /etc/pam.d/system-auth:
#This file is auto-generated.
#user changes will be destroyed the next time authconfig is run
also what are the two rules you are talking about?
you only asked me to include @include system-auth in
/etc/pam.d/passwd
still doesn't work sir.i've done exactly as u told me to.
after rebooting i create a new user as 'user1' and a new password which is 'xxxxxxx'and its getting accepted.it should not accept this password isn't it?i am even able to login with this new username and password.
Login as the user you have just created.
Enter passwd to change the user's password and see if you can still choose a simple password such as 'xxxxxx'.
Why I ask you this?
By adding the rules to /etc/pam.d/passwd the rules only apply to the passwd command. Not to commands used to create new users (e.g. useradd).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
