LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-23-2015, 02:38 PM   #1
Ivory244
LQ Newbie
 
Registered: Mar 2015
Posts: 2

Rep: Reputation: Disabled
Is this Pam configuration possible?


Our password requirements include:
1. Minimum length of password is 8 characters. (This password will expire in 90 days.)
2. If password is 13 characters or greater, password will never expire.

NOTE: I already have a script that manages password expiration instead of using pam.

Shown below is my attempt in /etc/pam.d/system-auth. What I am trying to accomplish is to run a script only if the user inputs a 13 character password. So far I have not found any configuration in pam that will accomplish this. Can anyone please help me in determining if this is possible with pam?

Attempt with /etc/pam.d/system-auth:

password requisite pam_cracklib.so try_first_pass retry=3 minlen=8

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password optional pam_cracklib.so try_first_pass retry=3 minlen=13

password optional pam_exec.so /usr/bin/password_donot_expire.sh

password required pam_deny.so
 
Old 03-23-2015, 03:55 PM   #2
T3RM1NVT0R
Senior Member
 
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
No PAM does not have any such option which I am aware of. The reason is you are asking PAM to make decision and modify another attribute. PAM does make decision of rejecting or accepting password on the basis of length. Asking PAM to check if password is 13 characters and if yes set to non-expiry that will be too much for PAM. PAM is not designed for that. Ofcourse, you can have script like you said to coordinate with PAM but solely leaving it on PAM will simply doesn't work.

Another thing is why would you set a password to non-expiry just because it is long. I mean I can set the password "abcdefgh123456" quite easy to guess but it is long and ok to be set to non-expiry. Length of the password doesn't matter but complexity does. You might want to add requirement for minimum number of upper case, lower case, special character and numbers to your password complexity requirement in PAM.
 
  


Reply

Tags
cracklib, linux, pam, passwd, unix


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
pam configuration magicalshashank31 Linux - General 3 05-08-2011 05:26 PM
PAM Configuration Help tman_77 Linux - Server 5 12-15-2009 02:40 AM
Basic PAM configuration tom_sawyer70 Linux - Security 3 07-08-2009 08:16 AM
PAM Configuration ??? ajeetraina Linux - Server 1 05-07-2008 06:15 AM
PAM configuration! leandrop Linux - Security 5 10-28-2004 09:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration