-   Linux - Security (
-   -   How do I disable cracklib and use null passwords? (

openSauce 10-11-2007 04:35 AM

How do I disable cracklib and use null passwords?

I would like the only user account on my desktop to have a null/empty password. How do I disable cracklib in the PAM configuration from saying this is not allowed? I can see how commenting out the cracklib line in /etc/pam.d/system-auth-ac could work, but that file is auto-generated by authconfig, and I don't want my changes to be lost when authconfig is run. It seems like authconfig should provide a way to do it, but none of its command-line or GUI options relate to cracklib. I tried setting USECRACKLIB=no in /etc/sysconfig/authconfig and running authconfig --updateall, but this simply reset the text file to USECRACKLIB=yes. How can I change this?

I'd also like to ask how much of a risk you think this is? I'm not worried about my flatmates/friends using my computer, in fact I'd rather they were able to do so without a password. But how easy would it be for someone to access my user account over the internet if I don't have a password?

miedward 10-11-2007 07:35 AM

If the machine is visible to the internet (which it may or may not be), it would get compromised very quickly by the scripts that scan around to random IP addresses and brute force attack them.

If you don't mind your flat mates logging in, just put a sticky note with the username and password on the monitor. That protects you from the bots to some degree and it allows you to use a good password because no one has to remember it.

Or you could run off a liveCD or something of the sort which doesn't generally use passwords that you need to know.

win32sux 10-11-2007 09:27 AM

Wouldn't you be much better-off simply configuring your session manager to auto-login? I have my Ubuntu desktop (which uses GDM) configured like this for my parents. If your objective is simply to not have to type a password when the computer starts, auto-login is the way to go. You could even use a "guest" account for the auto-login, so that your personal account is still password-protected.

openSauce 10-11-2007 07:35 PM

Thanks for the advice. I've decided to retain my password and use auto-login. Out of interest, how would I disable cracklib? There must be a relatively simple way to do it!

raybert 01-29-2011 03:17 PM

Old thread but I'll post the answer anyway so others can find it...

Make the following changes in both /etc/pam.d/system-auth and /etc/pam.d/password-auth:


#password    requisite try_first_pass retry=3 type=
password    sufficient sha512 shadow nullok try_first_pass #use_authtok
password    requisite

The changes are:
  • comment-out the pam_cracklib line
  • comment-out the "use_authtok" argument on the pam_unix line

use_authtok effectively tells pam_unix to require a password from the previous step (formerly pam_cracklib). So if you leave it there after commenting-out pam_cracklib, no password is passed to pam_unix and it refuses to prompt for one itself and the whole operation fails.

So these changes cause pam_unix to prompt you for a password instead of pam_cracklib.

All times are GMT -5. The time now is 07:01 AM.