As presented in my other thread, I've just put into place a new policy for user account passwords via libpam-cracklib.

So now, some checks are done when a user wants to modify his/her password (enough lowercase/uppercase/digit/special characters, password not used before, password different enough from the previous one and so on).
However, when the new password entered by the user doesn't satisfy those criteria, the output is always the same (except mostly when an old password is rotated or is a palindrome):
Is there a way to customize this output so the user knows what to correct in his/her new password to comply with the new policy? For example:
If not possible, is there a way to display my policy criteria as soon as the user typed passwd so he is informed beforehand about the criteria to comply with?

Many thanks!

is it a script? if yes, then I would say yes it is.
You just need to find where it is outputting that info then modify it to say what you want.

If not possible, is there a way to display my policy criteria as soon as the user typed passwd so he is informed beforehand about the criteria to comply with?

You'd still have to grab it off the cli then check it, then reply, maybe run a loop to ask again, and repeat until the password compiles then allow it to be accepted.

I am not familiar with the inter working, but I am sure a lot of it is scripts, so you should be able to intervene and add your needed modifications to suit your needs.

^ I didn't mention it BW-userx but it's not inside a script at the time being...
As you explained, it could certainly do the job but I really prefer to keep things simple (KISS) and not having to parse and cover myself all the different use cases following the user inputs (somewhat heavy, static and not very convenient).
I would have guessed passwd and PAM could handle it together but that's just a supposition from me

Well,
I am not a savvy on PAM, but have you looked through this?
https://www.systutorials.com/docs/li...pam_pwquality/

2 members found this post helpful.

You could always write a wrapper for the passwd command that displays the rules you want the user to use when setting their password and then simply invokes 'passwd'.

Of course, the more knowledgable user may know about 'passwd' and skip using your wrapper only to get the vague "bad password" message anyway.

What about putting a one liner in the motd file that very briefly explains the requirements:

"Remember: New passwords must contain mixed case characters and at least 1 digit."

Short, sweet, and to the point. The only trouble with having this in '/etc/motd' is that people may begin to ignore it if it doesn't change regularly. (You wouldn't believe how many times I've encountered people who totally missed the notices about the scheduled downtime for HW upgrades that had been in '/etc/motd' for a week or more.) At one time, I had a cron job that updated the motd with cluster utilization information along with the important notices so they paid a little more attention to the content.

Note that you have to make sure that the user login process is actually going to display '/etc/motd' during login. SSH might need to be tweaked, the system-wide profiles in '/etc', etc. all might need to have changes made.

Excellent, thanks for the hint!
I've installed libpam-pwquality, edited /usr/share/pam-configs/pwquality, run pam-auth-update and voilà!
pwquality is more verbose than cracklib and allows some more features (consecurive characters and number of required classes notably).
Post marked as [SOLVED]

NB: I'm not sure about how to use /etc/security/pwquality.conf... Indeed, I'm setting up my options in /usr/share/pam-configs/pwquality instead (everything is commented in pwquality.conf).
Is it just a matter of preference/choice here?

You should not be editing /usr/share/pam-configs/pwquality. The files in /usr/share/pam-configs are package config declarations and should not be edited.

Your configuration should be put in /etc/security/pwquality.conf.

2 members found this post helpful.

Thanks for the advice

Do you know how I can retrieve the original /usr/share/pam-configs files? dpkg-reconfigure libpam-pwquality returns a 0 status code but doesn't reset those files to their initial content.
It seems that those files have precedence over /etc/security ones for modification of /etc/pam.d/common-password so I cannot apply my changes via /etc/security/pwquality.conf now...

As I edited /usr/share/pam-configs/unix as well, can you tell me how to proceed under /etc/security in the same vein please?

The following should recreate the files in /usr/share/pam-configs:

That's one of the reasons you don't use the /usr/share/pam-configs files - package changes will replace those files. The packages don't treat those as user-modifiable files. For example, the reinstall will detect if you've changed /etc/pam.d/common-password, and ask if you want to replace it with the package version, but it won't ask you about files in /usr/share/pam-configs.

The /etc/security/pwquality.conf defines the defaults for pam_pwquality.so. If you set different settings using options in /etc/pam.d/common-password, I believe those will take precedence.

^ Ok, thanks sgrlscz, your command's worked and reset my /usr/share/pam-configs/{unix,pwquality} files

I won't modify them by hand anymore. However, can I modify /etc/pam.d/common-passwd manually or is supposed to be handled by pam-auth-update exclusively?
I'm asking because I would like to add options "remember=400" for pam_unix.so and "enforce_for_root" for pam_pwquality.so now and I don't know where to specify them otherwise (adding enforce_for_root in /etc/security/pwquality.conf doesn't work)...

You can modify /etc/pam.d/common-passwd by hand.

^ Ok, thanks. There seems to be no conflict during pam-auth-update
So to summarize, can one state that best practice is to change files directly inside /etc/pam.d directory except if there are some explicit configuration files elsewhere like in /etc/security?