I've started playing a little bit with PAM on my Debian 9 server (kernel 4.9.0-9-amd64), especially with libpam-cracklib in order to enforce a better account password policy.
So in my /etc/pam.d/common-password, I've added the following:
Code:
password requisite pam_cracklib.so retry=3 difok=3 dcredit=-1 lcredit=-1 minlen=12 ocredit=-1 reject_username ucredit=-1
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=400
password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass
I didn't need to create file /etc/security/opasswd as it was already present (probably created during libpam-cracklib installation), with the appropriate permissions:
Code:
-rw------- 1 root root 0 jul 12 12:50 /etc/security/opasswd
However, users are not able to change their password anymore via
passwd (prompt says: "Authentication Token Manipulation Error"). It worked before...
NB: it still works via root
I've tried to delete the
remember=400 part with no avail, even after reboot.
After investigation, I've noticed that the SUID bit on /usr/bin/passwd has disappeared:
Code:
-rwxr-xr-x 1 root root 59680 may 17 2017 /usr/bin/passwd
So I've just set it up again with
chmod u+s /usr/bin/passwd and guess what, no problem anymore!
Question: do you have an idea why the SUID bit disappeared on /usr/bin/passwd?
Thank you in advance