LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Help -- PAM password restrictions don't seem to be working (https://www.linuxquestions.org/questions/linux-newbie-8/help-pam-password-restrictions-dont-seem-to-be-working-803388/)

Nabana 04-21-2010 05:16 PM

Help -- PAM password restrictions don't seem to be working
 
I set some restrictions in /etc/pam.d/system-auth, but they don't seem to be affecting anything.

/etc/pam.d/passwd:
Code:

password    required    pam_cracklib.so  retry=3 minlen=8
password    required    pam_unix.so      md5 shadow use_authtok

/etc/pam.d/system-auth:
Code:

auth        required      pam_env.so
auth        sufficient    pam_unix.so likeauth nullok
auth        required      pam_deny.so

account    required      pam_unix.so

password    required      pam_cracklib.so try_first_pass retry=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minlen=8
password    sufficient    pam_unix.so try_first_pass use_authtok nullok md5 shadow remember=5
password    required      pam_deny.so

session    optional      pam_keyinit.so revoke
session    required      pam_limits.so
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required      pam_unix.so

So even if I give a password that's less than 8 chars (which minlen=8) should prevent, it still takes it. The other uppercase/lowercase/digit/special character rules don't seem to do anything either. :mad:

Console:
Code:

admin1@box1$ passwd
Changing password for admin1
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: password updated successfully


/var/log/secure doesn't seem to show much except for "password changed for user":

Code:

Apr 21 22:10:49 passwd[1134]: pam_unix(passwd:chauthtok): username [admin1] obtained
Apr 21 22:10:59 passwd[1134]: pam_unix(passwd:chauthtok): username [admin1] obtained
Apr 21 22:10:59 passwd[1134]: pam_unix(passwd:chauthtok): password changed for admin1


Any ideas?

anomie 04-21-2010 05:35 PM

For your consideration: my comments on pam_cracklib vs. pam_passwdqc.

That said, what OS / version is this? Your /etc/pam.d/passwd config looks odd. On RHEL, for example, by default it should read -
Code:

...
password include system-auth

- rather than invoking pam_cracklib there and in the system-auth config.

unSpawn 04-21-2010 05:53 PM

...and adding /usr/share/doc/pam-${VERSION}/txts/README.pam_cracklib to that: minlen=N The minimum acceptable size for the new password (plus one if credits are not disabled which is the default).. So in your case, since credits are not disabled, minlen is actually $[${minlen}+1], right?

Nabana 04-29-2010 01:17 PM

I put the rules in pam.d/passwd instead of system-auth, and it works as expected. Not sure why it was originally set up like this, but that did the trick.


All times are GMT -5. The time now is 08:26 PM.