LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-02-2004, 07:42 AM   #1
tompower
LQ Newbie
 
Registered: Nov 2004
Distribution: Red Hat
Posts: 1

Rep: Reputation: 0
Problems with PAM_cracklib options


I'm messing with RH9.0 - trying to understand the options (ucredit, dcredit etc) that you can give pam_cracklib but am having mixed success.

I've altered the passwd config file in /etc/pam.d to:

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so

password required /lib/security/$ISA/pam_cracklib.so \
debug difok=2 dcredit=-1 ucredit=-1 ocredit=0 minlen=8 retry=3 type=PBSOK
password sufficient /lib/security/$ISA/pam_pwdb.so nullok use_authtok md5
shadow
password required /lib/security/$ISA/pam_deny.so

When I changed the password of a user (not root) I expected PAM to insist on a minimum length of 8 and a password containing 1 upper case and 1 digit. The minimum length seems to be checked but not the other stuff.

I've read through The Linux-PAM Admin Guide but am still stumped.

Any bright ideas - am willing to RTFM if pointed to the right manuals

Thanks
 
Old 11-03-2004, 06:23 PM   #2
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
Re: Problems with PAM_cracklib options

Quote:
Originally posted by tompower
I'm messing with RH9.0 - trying to understand the options (ucredit, dcredit etc) that you can give pam_cracklib but am having mixed success.

I've altered the passwd config file in /etc/pam.d to:

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so

password required /lib/security/$ISA/pam_cracklib.so \
debug difok=2 dcredit=-1 ucredit=-1 ocredit=0 minlen=8 retry=3 type=PBSOK
password sufficient /lib/security/$ISA/pam_pwdb.so nullok use_authtok md5
shadow
password required /lib/security/$ISA/pam_deny.so

When I changed the password of a user (not root) I expected PAM to insist on a minimum length of 8 and a password containing 1 upper case and 1 digit. The minimum length seems to be checked but not the other stuff.

I've read through The Linux-PAM Admin Guide but am still stumped.

Any bright ideas - am willing to RTFM if pointed to the right manuals

Thanks
you want to use:

password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 ucredit=-1 dcredit=-1

the debug, difok and type can be deleted.

lcredit specifies the number of lowercase required.
dcredit specifies the number of digits required.
ucredit specifies the number of uppercase required.
ocredit specifies the number of other required. (symbols)

ucredit=-1 sets the requirement for at least 1 uppercase character in the password.
-2 = at least 2, -3 = at least 3, etc.

It's best to require users to have at least 2 of the 4 types. i.e. 2 upper, 2 lower, 2 digits and 2 other. Something like ManDrake12#$ would pass that rule set.

Not listing in the config is the same as setting it to none.

-b

Last edited by bignerd; 11-03-2004 at 06:28 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM_cracklib Error, dict error hoes Linux - Security 4 03-10-2007 08:24 AM
pam_cracklib.so "-1" NOT working scottjwoodford Linux - Security 4 08-14-2006 09:27 AM
Kernel 2.6.2 options question - LOCKED options ? tvojvodi Linux - General 0 02-17-2004 04:23 AM
Shell script problems, passing options to gcc usernamed Programming 2 09-10-2003 06:47 AM
options? Bullzeye Debian 1 08-27-2003 05:14 AM


All times are GMT -5. The time now is 04:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration