LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-01-2005, 04:34 PM   #1
scottjwoodford
LQ Newbie
 
Registered: Jun 2005
Posts: 27

Rep: Reputation: 15
pam_cracklib.so "-1" NOT working


I have read many posts on this forum about using -1 for the lcredit, ucredit, dcredit, and ocredit in the system-auth file (on the pam_cracklib.so line). This is not working for me. I currently have the following:

password requisite /lib/security/$ISA/pam_cracklib.so retry=5 minlen=11 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

However, I have tried many other combinations as well. I just created a password "testhello" and I was able to login. I shouldn't have been able to. I am doing this on RedHat 8.0 and RedHat 9.0. I read that the -1's aren't supported on earlier versions of Linux, but people on this forum have had success using them on RedHat 9.0. Anyone have any ideas? Thanks in advance.
 
Old 06-02-2005, 12:24 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
It should work on RH 9 (in fact I just tried it and it worked). Not sure exactly what you are doing wrong, but keep in mind that if you are root and create the password for that user, then you can make it anything you want (regardless of the cracklib settings). You'll still see the hard-coded "password too short" message if you use a short password, but it will still let you use it. You won't even see the cracklib warnings like "too simple" at all. However, if you log in as that user and try to change the passwd, all the cracklib requirements will apply.
 
Old 06-02-2005, 08:49 AM   #3
scottjwoodford
LQ Newbie
 
Registered: Jun 2005
Posts: 27

Original Poster
Rep: Reputation: 15
Well, here's the thing. I want to set a password for the user that I pick. I will give that password to the user, but when he/she enters the username/password I want the system to force them to change it. When they are changing it, or anytime in the future I want them to change it, I want the password rules to apply. What do I need for this to happen? Thanks.
 
Old 06-02-2005, 09:19 AM   #4
scottjwoodford
LQ Newbie
 
Registered: Jun 2005
Posts: 27

Original Poster
Rep: Reputation: 15
Also, I see what you're saying, but I'm not assigning a password with root. I'm actually just expiring the account like this:


usermod –L username
chage –d 0 username
usermod –p “” username

It forces the user to change his/her own password, but doesn't apply the cracklib rules. The user can change it to whatever he/she wants as long as it doesn't break the built-in rules such as a minlength of 4.

So, I essentially have 2 problems. The first is that I can't figure out how to set a password for the user, allow him to enter it, then have the system require him to change it.

Second, crackbib settings aren't applying when the user does change it.
 
Old 08-14-2006, 10:27 AM   #5
alex.dupuy
LQ Newbie
 
Registered: Aug 2006
Distribution: Fedora Core
Posts: 1

Rep: Reputation: 0
pam_cracklib minlen/credits requires old password

The problem here is that you are setting an empty password, and as a result, passwd (or the expiration code) is not prompting for an "old password" nor is it providing that information to pam_cracklib. Without that information, certain pam_cracklib checks (looking for trivial changes to password, but also all the minlen and credit computations for "simple" passwords) is not performed.

Note that for root, even if the password is not empty, no prompt is ever made for the old password, so these strength checks are not performed on the root password (which is kind of stupid, considering that it is the one password that most needs to be strong).

But for your normal, non-root users, just set a password like "ChangeMe!" and expire it, and since they will (should be?) be prompted for the old password, the strngth checks you specify should take effect.

@alex

You may have already figured this out, but since I found your thread when trying to understand why it wasn't working for my root user account, I figured it would be helpful to have the answer recorded.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
bash script: using "select" to show multi-word options? (like "option 1"/"o zidane_tribal Programming 7 12-19-2015 02:03 AM
what is "sticky bit mode" , "SUID" , "SGID" augustus123 Linux - General 10 08-03-2012 05:40 AM
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 12:26 PM
"Xlib: extension "XFree86-DRI" missing on display ":0.0"." zaps Linux - Games 9 05-14-2007 04:07 PM
commands "init" and "modprobe" not working Diagmato Fedora 2 07-23-2005 12:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration