Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so try_first_pass
auth required /lib/security/$ISA/pam_succeed_if.so uid >=500 quiet
auth required /lib/security/$ISA/pam_deny.so
auth required /lib/security/$ISA/pam_tally.so deny=3 onerr=fail no_magic_root unlock_time=300
Based on the above data, when I create users in RHEL5.1, I should not be able to set passwords with fewer than 14 characters, and they must contain at least one each of the following: upper-case, lower-case, digit, other character. However, I seem to be able to create simple passwords without difficulty.
Example: I created a user account "tsmith" in terminal mode (/usr/sbin/useradd, or something similar). When prompted for a password, I type "soccer". Even though the system returns "BAD PASSWORD: it is based on a dictionary word. Retype Password:", "soccer" is NOT a dictionary word. In fact, when I retype "soccer", the system accepts it by displaying "passwd: all authentication tokens updated successfully".
Also, I cannot enforce the password complexity rules in the GUI version of setting up user accounts (System-->Administration-->Users and Groups). When I click "Add User", I type in a simple password, click OK, and the new user appears with no error/warning messages of any kind.
Please advise if the data in my /etc/pam.d/system-auth file is incorrect and/or what other files need to be modified to enforce the preferred password complexity rules. Thanks.
(I mentioned pam_cracklib there as well.) There is certainly nothing wrong with pam_cracklib, but you'll see me recommending pam_passwdqc over and over again on these forums, for its feature set and relative ease of use. Have a look and see if you'd like to try that approach.
One more thing -- I notice that you've designated pam_cracklib as "required" rather than "requisite" in your password stack. That may have some unintended consequences. (I haven't carefully evaluated your entire stack.)
As per your request, I will do my best to start new threads. I did not realize the age of these old threads, but I was trying to find existing solutions to my issue which I did, albeit old information.
BTW--I found out that when logged in as "root", I have the power to set any password I like. Thus, "root" is the exception rather than the rule WRT password complexities. Standard users should be restricted in terms of setting passwords outside the scope of complexity rules.
I received this information from a reliable source at Red Hat. My ISSM also confirmed this, and he says that this is OK.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.