RHEL 5.8. Password Complexity and disable suggestions.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
RHEL 5.8. Password Complexity and disable suggestions.
I'm trying to enforce password complexity and am not getting the results I expect. I've searched, read the man and readme for every thing I can think of. My requirements are 12 char and 3 or more char types. The suggestions rarely meet this so they are unacceptable. Even when I choose my own which meets the requirements. It won't work. I would also like to disable_firstupper_lastdigit. Would I just append that to the passwdqc line? Here is my system-auth-ac:
I was going to use that but I would have to pick the three types or require all 4 to meet our security requirements(3 of 4 types). The server I started to look at uses the pam_passwdqc.so module instead. passwdqc is a newer, more flexible, and I believe preferred, module. Even with other servers that are using cracklib, I still can't find a passwd that works and they're not using any credits. Just minlen. I and my other users are forced to use the suggested one(and usually they only use 2 char types). I'm trying to figure out how to get more debug info from the passwd process as well. I look in the /var/log/secure and see "sudo: pam_tally(sudo:setcred): Tally underflowed for user root" but I think it's just a generic error when the password change doesn't complete.
OK. I added random=0 to the system-auth-ac at the end of the line containing pam_passwdqc.
This does get rid of the generated one.
Here is the result:
Code:
Changing password for user testuser.
You can now choose the new password.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use a 12 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.
Enter new password:
Weak password: based on a dictionary word and not a passphrase.
Try again.
No generated suggestion but my test password won't work due to the dictionary check.
I guess I could rebuild the module with the dictionary check section commented but I would like to avoid that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.