LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   BAD PASSWORD: it is based on a dictionary word (https://www.linuxquestions.org/questions/linux-software-2/bad-password-it-is-based-on-a-dictionary-word-449149/)

zahadumy 05-27-2006 05:40 PM

BAD PASSWORD: it is based on a dictionary word
 
How do I get rid of this? It is really annoying... I use really strong password for root, like "m21sosg91t...", always generated passwords of 25 characters, an old obsession I have. But why should I use a strong password for my usual user? If someone guesses it, all I might lose is what I have in my home directory. Big deal!
So, my question is how do I change this? I googled for it and read I have to change /etc/pam.d/passwd or /etc/pam.d/system.auth. I tried to change both of them, but all I've got is "passwd" not work at all... Does anyone know how to do this?

And please, don't tell me what I read in this thread... This is not the answer to the question... Thank you.

alitrix 05-27-2006 05:42 PM

But did u try to change it with root?
Thought it root it's possible to use weak passwords even if it's not preferred

zahadumy 05-27-2006 05:51 PM

This is not the point... When a user wants to use "kitchen" as his password, I want the system to allow this. If he wants to use a weak password, he knows he does this on his own risk and we all know this is annoying sometimes. As root, if you're trying to set a weak password you get a warning but the password is changed successfully. I would like the same behaviour for a usual user, too. Any suggestions?

jschiwal 05-27-2006 06:37 PM

The password check options are defined in /etc/security/pam_pwcheck.
These options only effect user passwords unless the "enforce_for_root" option is used.

See the "man 8 pam_pwcheck" man page for all of the options.

zahadumy 05-27-2006 07:36 PM

Looks like you have pam_pwcheck only on Suse. I don't know if it's recommended or not, but I tried to install it on my distro anyway, but I couldn't download it from their homepage and after I googled for it, all the sites led me to the homepage, too. Do you know any other way to do it? I will try later to download that module...

Just one more question:
Quote:

The pam_pwcheck is a PAM module for password strength checking. It makes additional checks upon password changes, but it doesn't make the change itself. It only provides functionality for one PAM management group: password changing.

This module works in the following manner: if enabled it calls at first the Cracklib routine to check the strength of the password; if crack likes the password, the module does an additional set of strength checks.
Are you sure this is what I'm looking for?

jschiwal 05-28-2006 08:50 AM

You probably have a gui Users & Groups option that sets the same policy.

I bet it is in the manual if you look closely enough.


If you are interested in the pam_pwcheck module, here is its homepage on the web:
http://freshmeat.net/projects/pam_pwcheck/

zahadumy 05-28-2006 09:05 AM

Oka, thank you. Can you download it from their homepage, which is basically the same page I provided? Because from here that link doesn't work...

jschiwal 05-29-2006 02:07 AM

I just checked this link:
http://freshmeat.net/redir/pam_pwche...ck-3.0.tar.bz2

try:
wget http://freshmeat.net/redir/pam_pwche...ck-3.0.tar.bz2

But first, check if you have the modules but FC doesn't use it.
/lib/security/pam_pwcheck.so
/lib64/security/pam_pwcheck.so

On my system, it was provided by a pam_modules package.

zahadumy 05-29-2006 12:53 PM

Thank you.

jschiwal 06-01-2006 04:47 AM

I bet that I you look around in the FC configuration program(s), you will find where you can adjust the policy you want to. Even if FC doesn't do it using PAM_PASSWD.

happyharris 11-05-2008 08:36 AM

I was able to mostly figure out how to do this. I use SuSE 11.0, and I don't know how standard is the functionality I used.

1. Open YaST (entering root password)
2. Click on "Local Security" application
3. Choose Custom Settings (click Next)
4. Deselect "Check New Passwords" and "Test for Complicated Passwords"
5. Click Next and Finish to save.

I was then able to change my user's password.

Note that no warning is given unfortunately. I could not figure out any way to give a warning but then accept the insecure password.

I am going to try to figure out what configuration file was changed but I don't have much confidence.

tgutierrez 08-10-2011 11:03 AM

You can establish the encrypted password directly when you create users

1.- Retrive the encrypted password: perl -e 'print crypt("password", "salt"),"\n"', its output is something like sajH.KaRIwx/k

2.- Crete the user using this output: useradd -g group -c "comentaio" -s /bin/bash -m -d -p sajH.KaRIwx/k user01

OracleLinux 01-04-2013 03:04 PM

An answer for the original question
 
vi /etc/pam.d/system-auth

The original file looks like this
------------------------------------------------------------------------------------
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
------------------------------------------------------------------------------------

Comment all the three lines
------------------------------------------------------------------------------------
# password requisite pam_cracklib.so try_first_pass retry=3
# password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
# password required pam_deny.so
------------------------------------------------------------------------------------

Add this line
------------------------------------------------------------------------------------
password sufficient /lib/security/$ISA/pam_unix.so nullok md5 shadow
------------------------------------------------------------------------------------

It will look like this now
------------------------------------------------------------------------------------
# password requisite pam_cracklib.so try_first_pass retry=3
# password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
# password required pam_deny.so
password sufficient /lib/security/$ISA/pam_unix.so nullok md5 shadow
------------------------------------------------------------------------------------

Note:
------------------------------------------------------------------------------------
If you run authconfig, the file /etc/pam.d/system-auth will be overwritten
------------------------------------------------------------------------------------

kdannehl 02-05-2015 05:20 PM

Thanks Much!!
 
Thanks much for this answer. It's the onlyone that makes sense to me. I don't use GUIs much and all I wanted to do is run passwd to change a password.

This is elegent, simple and understandable
thanks






Quote:

Originally Posted by OracleLinux (Post 4863121)
vi /etc/pam.d/system-auth

The original file looks like this
------------------------------------------------------------------------------------
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
------------------------------------------------------------------------------------

Comment all the three lines
------------------------------------------------------------------------------------
# password requisite pam_cracklib.so try_first_pass retry=3
# password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
# password required pam_deny.so
------------------------------------------------------------------------------------

Add this line
------------------------------------------------------------------------------------
password sufficient /lib/security/$ISA/pam_unix.so nullok md5 shadow
------------------------------------------------------------------------------------

It will look like this now
------------------------------------------------------------------------------------
# password requisite pam_cracklib.so try_first_pass retry=3
# password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
# password required pam_deny.so
password sufficient /lib/security/$ISA/pam_unix.so nullok md5 shadow
------------------------------------------------------------------------------------

Note:
------------------------------------------------------------------------------------
If you run authconfig, the file /etc/pam.d/system-auth will be overwritten
------------------------------------------------------------------------------------


noutg 07-21-2016 06:20 AM

BAD PASSWORD: it is based on a dictionary word
 
Onwards from rhel6.8 /etc/pam.d/system-auth-ac (among others has changed).

If you copy & paste from a < rhel6.8 then short insecure passwds will be accepted (if you are root)


All times are GMT -5. The time now is 07:08 AM.