Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
06-01-2005, 04:34 PM
|
#1
|
LQ Newbie
Registered: Jun 2005
Posts: 27
Rep:
|
pam_cracklib.so "-1" NOT working
I have read many posts on this forum about using -1 for the lcredit, ucredit, dcredit, and ocredit in the system-auth file (on the pam_cracklib.so line). This is not working for me. I currently have the following:
password requisite /lib/security/$ISA/pam_cracklib.so retry=5 minlen=11 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
However, I have tried many other combinations as well. I just created a password "testhello" and I was able to login. I shouldn't have been able to. I am doing this on RedHat 8.0 and RedHat 9.0. I read that the -1's aren't supported on earlier versions of Linux, but people on this forum have had success using them on RedHat 9.0. Anyone have any ideas? Thanks in advance.
|
|
|
06-02-2005, 12:24 AM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
It should work on RH 9 (in fact I just tried it and it worked). Not sure exactly what you are doing wrong, but keep in mind that if you are root and create the password for that user, then you can make it anything you want (regardless of the cracklib settings). You'll still see the hard-coded "password too short" message if you use a short password, but it will still let you use it. You won't even see the cracklib warnings like "too simple" at all. However, if you log in as that user and try to change the passwd, all the cracklib requirements will apply.
|
|
|
06-02-2005, 08:49 AM
|
#3
|
LQ Newbie
Registered: Jun 2005
Posts: 27
Original Poster
Rep:
|
Well, here's the thing. I want to set a password for the user that I pick. I will give that password to the user, but when he/she enters the username/password I want the system to force them to change it. When they are changing it, or anytime in the future I want them to change it, I want the password rules to apply. What do I need for this to happen? Thanks.
|
|
|
06-02-2005, 09:19 AM
|
#4
|
LQ Newbie
Registered: Jun 2005
Posts: 27
Original Poster
Rep:
|
Also, I see what you're saying, but I'm not assigning a password with root. I'm actually just expiring the account like this:
usermod –L username
chage –d 0 username
usermod –p “” username
It forces the user to change his/her own password, but doesn't apply the cracklib rules. The user can change it to whatever he/she wants as long as it doesn't break the built-in rules such as a minlength of 4.
So, I essentially have 2 problems. The first is that I can't figure out how to set a password for the user, allow him to enter it, then have the system require him to change it.
Second, crackbib settings aren't applying when the user does change it.
|
|
|
08-14-2006, 10:27 AM
|
#5
|
LQ Newbie
Registered: Aug 2006
Distribution: Fedora Core
Posts: 1
Rep:
|
pam_cracklib minlen/credits requires old password
The problem here is that you are setting an empty password, and as a result, passwd (or the expiration code) is not prompting for an "old password" nor is it providing that information to pam_cracklib. Without that information, certain pam_cracklib checks (looking for trivial changes to password, but also all the minlen and credit computations for "simple" passwords) is not performed.
Note that for root, even if the password is not empty, no prompt is ever made for the old password, so these strength checks are not performed on the root password (which is kind of stupid, considering that it is the one password that most needs to be strong).
But for your normal, non-root users, just set a password like "ChangeMe!" and expire it, and since they will (should be?) be prompted for the old password, the strngth checks you specify should take effect.
@alex
You may have already figured this out, but since I found your thread when trying to understand why it wasn't working for my root user account, I figured it would be helpful to have the answer recorded.
|
|
|
All times are GMT -5. The time now is 02:05 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|