password complexity
hi i was told initially to make changes in /etc/pam.d/system-auth config file for complexity(lcredit=-1,uccredit=1,lccredit=1.....)this is not working on my system.
i have Fedora core release 3(Heidelberg) kernel 2.6.9-1.667 on 1686. is there any other procedure to achieve complexity? |
this is not working on my system.
- what where the errors? - did you try in debugmode? - how did you test? - what are the contents of you /etc/pam.d/system-auth? |
hi.these are the contents of my /etc/pam.d/system-auth config file:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=6 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=-2 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so i set the parameters minlen,dcredit,ucredit,lcredit,ocredit,difok to their values. minlen is working fine.but when i created a new user and set the password as 'aaaaaa',it is being accepted.it should not isn't it?bcoz the password: * Must be at least 6 characters and utmost 12 characters * Must contain at least one one lower case letter, one upper case letter, one digit and one special character * Valid special characters are - @#$%^&+= what do i do now??? |
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=6 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=-2
AFAIK the docs say nothing about using negative values, only integers. when i created a new user and set the password as 'aaaaaa',it is being accepted.it should not isn't it? Yes it should since you're root. what do i do now? This should work. Touch /etc/security/opasswd to enable remembering used passes. Now if there's a possibility for them to hand you an initial password you could set that, else set one yourself. Then expire the account, forcing them to set a new one on login. The cracklib settings should apply now. |
hi sir.well actually i m not logging in as root but as the new user i created and yet the password gets accepted in whichever fashion i give.
also the file /etc/security/opasswd is empty in my system(no such thing as remembering used passes). finally what values should i set,if not negative values in /etc/pam.d/system-auth? |
finally what values should i set,if not negative values in /etc/pam.d/system-auth?
Try positive, whole values. |
hi sir.thanks for your help so far.i've tried positive values as well.still doesn't work.what to do next??
|
Quote:
dcredit=-1 - minimum one digit ucredit=-1 - minimum one uppercase letter lcredit=-1 - minimum one lowercase letter ocredit=-1 - minimum one 'other' character I am using debian and added the following two lines to /etc/pam.d/common-password password required pam_cracklib.so retry=3 minlen=7 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3 password required pam_unix.so use_authtok nullok md5 I am not an expert on this but have you looked in the /etc/pam.d directory for a file called passwd? The file /etc/pam.d/passwd should have the following line to include the rules in /etc/pam.d/common-password @include common-password (or maybe in your case @include system-auth) kind regards, kingka |
hi sir.these are the contents of my /etc/pam.d/passwd file:
#%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth As you can see,there is no @include system-auth. what is to be done now?? also one more important thing sir,in the config file, /etc/pam.d/system-auth,it is mentioned in the beginning like this: # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. Is it something to do with this?If so,what is to be done? Any help would be greatly appreciated??thank u |
Got this from google: "Authconfig is a terminal mode program which can configure a workstation to use shadow passwords."
So I guess authconfig is only run when you install/upgrade the shadow suite. My common-password file has only the 2 rules I told about in my previous post, while your system-auth file has other things in it as well. Maybe you should create a new file in /etc/pam.d (say common-password) and include that file in /etc/pam.d/passwd or you can add the 2 rules directly in /etc/pam.d/passwd instead of using @include Ah and your /etc/pam.d/passwd didn't say anything about being auto-generated? So it's probably your best option to use another config file or passwd directly and not system-auth. |
hello sir.thanks for your help so far.But i think u missed a statement there.i clearly mentioned in my previous post that there is this statement in /etc/pam.d/system-auth:
#This file is auto-generated. #user changes will be destroyed the next time authconfig is run also what are the two rules you are talking about? you only asked me to include @include system-auth in /etc/pam.d/passwd |
Enter these two lines in /etc/pam.d/passwd :
password required pam_cracklib.so retry=3 minlen=7 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3 password required pam_unix.so use_authtok nullok md5 You shouldn't have '@include system-auth' in /etc/pam.d/passwd if you enter the rules in /etc/pam.d/passwd itself. Reboot. Change your password with passwd and see if it still accepts simple passwords. |
still doesn't work sir.i've done exactly as u told me to.
after rebooting i create a new user as 'user1' and a new password which is 'xxxxxxx'and its getting accepted.it should not accept this password isn't it?i am even able to login with this new username and password. what do i do now? |
Login as the user you have just created.
Enter passwd to change the user's password and see if you can still choose a simple password such as 'xxxxxx'. Why I ask you this? By adding the rules to /etc/pam.d/passwd the rules only apply to the passwd command. Not to commands used to create new users (e.g. useradd). |
ok seems to me like its working.thanks very much for your help sir.
|
All times are GMT -5. The time now is 09:58 PM. |