[SOLVED] Customization (more details) of passwd output command (via libpam-cracklib) during user account password change
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Customization (more details) of passwd output command (via libpam-cracklib) during user account password change
As presented in my other thread, I've just put into place a new policy for user account passwords via libpam-cracklib.
So now, some checks are done when a user wants to modify his/her password (enough lowercase/uppercase/digit/special characters, password not used before, password different enough from the previous one and so on).
However, when the new password entered by the user doesn't satisfy those criteria, the output is always the same (except mostly when an old password is rotated or is a palindrome):
Code:
BAD PASSWORD: it is too simplistic/systematic
Is there a way to customize this output so the user knows what to correct in his/her new password to comply with the new policy? For example:
Code:
BAD PASSWORD: your password must contain at least 1 uppercase letter
BAD PASSWORD: your password must contain a digit
...
If not possible, is there a way to display my policy criteria as soon as the user typed passwd so he is informed beforehand about the criteria to comply with?
is it a script? if yes, then I would say yes it is.
You just need to find where it is outputting that info then modify it to say what you want.
If not possible, is there a way to display my policy criteria as soon as the user typed passwd so he is informed beforehand about the criteria to comply with?
You'd still have to grab it off the cli then check it, then reply, maybe run a loop to ask again, and repeat until the password compiles then allow it to be accepted.
I am not familiar with the inter working, but I am sure a lot of it is scripts, so you should be able to intervene and add your needed modifications to suit your needs.
^ I didn't mention it BW-userx but it's not inside a script at the time being...
As you explained, it could certainly do the job but I really prefer to keep things simple (KISS) and not having to parse and cover myself all the different use cases following the user inputs (somewhat heavy, static and not very convenient).
I would have guessed passwd and PAM could handle it together but that's just a supposition from me
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,803
Rep:
You could always write a wrapper for the passwd command that displays the rules you want the user to use when setting their password and then simply invokes 'passwd'.
Of course, the more knowledgable user may know about 'passwd' and skip using your wrapper only to get the vague "bad password" message anyway.
What about putting a one liner in the motd file that very briefly explains the requirements:
"Remember: New passwords must contain mixed case characters and at least 1 digit."
Short, sweet, and to the point. The only trouble with having this in '/etc/motd' is that people may begin to ignore it if it doesn't change regularly. (You wouldn't believe how many times I've encountered people who totally missed the notices about the scheduled downtime for HW upgrades that had been in '/etc/motd' for a week or more.) At one time, I had a cron job that updated the motd with cluster utilization information along with the important notices so they paid a little more attention to the content.
Note that you have to make sure that the user login process is actually going to display '/etc/motd' during login. SSH might need to be tweaked, the system-wide profiles in '/etc', etc. all might need to have changes made.
Excellent, thanks for the hint!
I've installed libpam-pwquality, edited /usr/share/pam-configs/pwquality, run pam-auth-update and voilą! pwquality is more verbose than cracklib and allows some more features (consecurive characters and number of required classes notably).
Post marked as [SOLVED]
NB: I'm not sure about how to use /etc/security/pwquality.conf... Indeed, I'm setting up my options in /usr/share/pam-configs/pwquality instead (everything is commented in pwquality.conf).
Is it just a matter of preference/choice here?
Excellent, thanks for the hint!
I've installed libpam-pwquality, edited /usr/share/pam-configs/pwquality, run pam-auth-update and voilą! pwquality is more verbose than cracklib and allows some more features (consecurive characters and number of required classes notably).
Post marked as [SOLVED]
NB: I'm not sure about how to use /etc/security/pwquality.conf... Indeed, I'm setting up my options in /usr/share/pam-configs/pwquality instead (everything is commented in pwquality.conf).
Is it just a matter of preference/choice here?
You should not be editing /usr/share/pam-configs/pwquality. The files in /usr/share/pam-configs are package config declarations and should not be edited.
Your configuration should be put in /etc/security/pwquality.conf.
You should not be editing /usr/share/pam-configs/pwquality. The files in /usr/share/pam-configs are package config declarations and should not be edited.
Your configuration should be put in /etc/security/pwquality.conf.
Thanks for the advice
Do you know how I can retrieve the original /usr/share/pam-configs files? dpkg-reconfigure libpam-pwquality returns a 0 status code but doesn't reset those files to their initial content.
It seems that those files have precedence over /etc/security ones for modification of /etc/pam.d/common-password so I cannot apply my changes via /etc/security/pwquality.conf now...
As I edited /usr/share/pam-configs/unix as well, can you tell me how to proceed under /etc/security in the same vein please?
That's one of the reasons you don't use the /usr/share/pam-configs files - package changes will replace those files. The packages don't treat those as user-modifiable files. For example, the reinstall will detect if you've changed /etc/pam.d/common-password, and ask if you want to replace it with the package version, but it won't ask you about files in /usr/share/pam-configs.
The /etc/security/pwquality.conf defines the defaults for pam_pwquality.so. If you set different settings using options in /etc/pam.d/common-password, I believe those will take precedence.
^ Ok, thanks sgrlscz, your command's worked and reset my /usr/share/pam-configs/{unix,pwquality} files
I won't modify them by hand anymore. However, can I modify /etc/pam.d/common-passwd manually or is supposed to be handled by pam-auth-update exclusively?
I'm asking because I would like to add options "remember=400" for pam_unix.so and "enforce_for_root" for pam_pwquality.so now and I don't know where to specify them otherwise (adding enforce_for_root in /etc/security/pwquality.conf doesn't work)...
^ Ok, thanks. There seems to be no conflict during pam-auth-update
So to summarize, can one state that best practice is to change files directly inside /etc/pam.d directory except if there are some explicit configuration files elsewhere like in /etc/security?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.