Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been working on customizing the password policy on CentOS. I know most of what I want to set can be done in the file /etc/pam.d/system-auth, which I have successfully augmented. However, in testing I found that very little information is displayed when insufficient password are entered. For example, when the new password entered does not have a non-alpha-numeric character it simply returns "Bad Password: is too simple."
How can I get passwd to display the password policy or at least make it easier to understand what kind of password is acceptable? Thanks.
The reason it does that is for security; you should give away the minimum info (preferably none) to a possible attacker.
Traditionally for login, it only supplies an error after both(!) username & passwd have been supplied, and often it just says 'Invalid Login' so that you don't know if the username or passwd was wrong (or both).
If you DO want to publish the passwd requirements, you could use the banner or issue file, but normally users are only told at registration, either via a separate path, or on the registration page.
See also 'lost passwd' procedures.
You could use pam_exec to call your own program I suppose.
The reason it does that is for security; you should give away the minimum info (preferably none) to a possible attacker.
Traditionally for login, it only supplies an error after both(!) username & passwd have been supplied, and often it just says 'Invalid Login' so that you don't know if the username or passwd was wrong (or both).
If you DO want to publish the passwd requirements, you could use the banner or issue file, but normally users are only told at registration, either via a separate path, or on the registration page.
See also 'lost passwd' procedures.
You could use pam_exec to call your own program I suppose.
Thank you for your response. To be more clear, I want to show the password policy when a user is changing or setting their password. At the moment, if a user is updating their password it does not supply enough information to understand why the new password is not accepted. I can foresee users being unable to set their password if my policy is decently complex because it does not state what criteria was not met , it simply says "Bad Pass".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
