Disallow weak password login

YaaY · 12-13-2018, 10:37 AM

Hi,

I'm looking for a way using PAM to disallow users which not meet password complexity to login

To make it clearer, not only not be able to select a weak password, but if you already have a weak pass you wont be able to login anymore

If I understand it should be the auth module interface and not the password one, but I cant figure out how configure it

The following doesn't work
auth required pam_pwquality.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

Thanks ahead,
Ilia

scasey · 12-13-2018, 10:49 AM

I did not know the answer to your question, so I tried this

I've not read through those links yet, but I suspect the answer is there. Let us know what you find, please.

As you'll see, different distros use different pam config files, so you'll need to tell us what distro you're running. Also, what you tried (show us the name of the config file you edited and what you changed), and whether or not it worked.

BTW "doesn't work" doesn't tell us anything. Did you get an error message?

YaaY · 12-13-2018, 12:27 PM

I'm using redhat 7.4

I'm currently trying PAM, the current thing is to integrate PAM into a self written APP.
For that I'm using the example from PAM manual - http://www.linux-pam.org/Linux-PAM-h...g-example.html

My pam file looks like this :

Quote:

auth required pam_unix.so
account required pam_unix.so
auth required pam_listfile.so onerr=fail item=user sense=allow file=/home/user/user.allow
account required pam_time.so
auth required pam_pwquality.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

I'm trying to verify if user account is valid, password correct, user is in user.allow, user logs in on specific time and trying to verify users password strength

after that will try to lock out users for 5 min if they typed their password wrong 3 times, something with :
auth required pam_faillock.so preauth audit deny=3 unlock_time=300
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300

about error messages, I get the following errors in /var/log/secure :
Dec 13 20:18:43 rhel a.out: PAM unable to resolve symbol: pam_sm_authenticate
Dec 13 20:18:43 rhel a.out: PAM unable to resolve symbol: pam_sm_setcred

scasey · 12-13-2018, 01:15 PM

I see nothing in your posted "pam file" that contains the strings you're getting errors about.

Which file are you updating? Is it in /etc/pam.d/ ?

Did you see this in man pam?

Code:

/etc/pam.d
           the Linux-PAM configuration directory. Generally, if this directory is present, the /etc/pam.conf file is ignored.

berndbausch · 12-13-2018, 06:20 PM

Quote:

Originally Posted by YaaY

about error messages, I get the following errors in /var/log/secure :
Dec 13 20:18:43 rhel a.out: PAM unable to resolve symbol: pam_sm_authenticate
Dec 13 20:18:43 rhel a.out: PAM unable to resolve symbol: pam_sm_setcred

That looks like something is wrong with your PAM installation. pam_sm_authenticate and pam_sm_setcred should be included by default. I would verify whether the PAM package(s) is/are installed correctly.

Like you, I would try to add pw_quality to the login procedure.

EDIT: You mention a self-written app. Are you linking it with the required PAM libraries (no, I don't know what they might be)?