RHEL 5.8. Password Complexity and disable suggestions.

Kapn.K · 07-25-2012, 11:33 AM

I'm trying to enforce password complexity and am not getting the results I expect. I've searched, read the man and readme for every thing I can think of. My requirements are 12 char and 3 or more char types. The suggestions rarely meet this so they are unacceptable. Even when I choose my own which meets the requirements. It won't work. I would also like to disable_firstupper_lastdigit. Would I just append that to the passwdqc line? Here is my system-auth-ac:

Code:

#%PAM-1.0
auth required pam_env.so
auth required pam_tally.so onerr=fail per_user deny=3 unlock_time=120
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,12 retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok rem
ember=24
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_
uid
session required pam_unix.so

selinux is disabled and the password I tried to use is tH1s,should:work

kbscores · 07-25-2012, 02:37 PM

For strictly complexity you will want to add the line:

Code:

password     requisite    pam_cracklib.so minlen=12 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1

Looking into the other things.

Kapn.K · 07-25-2012, 03:12 PM

Quote:

Originally Posted by kbscores

For strictly complexity you will want to add the line:

Code:

password     requisite    pam_cracklib.so minlen=12 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1

Looking into the other things.

I was going to use that but I would have to pick the three types or require all 4 to meet our security requirements(3 of 4 types). The server I started to look at uses the pam_passwdqc.so module instead. passwdqc is a newer, more flexible, and I believe preferred, module. Even with other servers that are using cracklib, I still can't find a passwd that works and they're not using any credits. Just minlen. I and my other users are forced to use the suggested one(and usually they only use 2 char types). I'm trying to figure out how to get more debug info from the passwd process as well. I look in the /var/log/secure and see "sudo: pam_tally(sudo:setcred): Tally underflowed for user root" but I think it's just a generic error when the password change doesn't complete.

Kapn.K · 07-26-2012, 10:38 AM

OK. I just found this other thread which sheds a little more insight. Trying it now.
http://www.linuxquestions.org/questi...dqc-so-714407/

Kapn.K · 07-26-2012, 12:50 PM

OK. I added random=0 to the system-auth-ac at the end of the line containing pam_passwdqc.

This does get rid of the generated one.

Here is the result:

Code:

Changing password for user testuser.

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use a 12 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.

Enter new password:
Weak password: based on a dictionary word and not a passphrase.
Try again.

No generated suggestion but my test password won't work due to the dictionary check.
I guess I could rebuild the module with the dictionary check section commented but I would like to avoid that.