password complexity not working on RH4 update 5

VMSlives · 04-30-2009, 02:24 PM

Hi Everyone

I'm having no success getting password complexity to work with RH4/U5.
Added/modified the following to /etc/pam.d/system-auth

password required /lib/security/$ISA/pam_passwdqc.so min=disabled,disabled,disabled,disabled,12

password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis remember=24

I have deployed complexity before on other releases w/o problems.
This one is a NIS server, but I have other NIS servers working fine.
I even tried copying system-auth from a RH4/U2 NIS server which performs complexity to the RH4/U5 system - no luck.
When I attempt to change a user password from a user acct, get message that password must be at least 6 characters. The system-auth file I am using dictates 12 characters with 4 different character cases.
/etc/login.defs also has minimum length set to 12 - no idea where the 6 character limit is coming from.
I also tried using cracklib.so with minlen=12 , no luck there either.

All security packages are installed on the RH4/U5 server
thanks in advance for your help

anomie · 05-01-2009, 12:07 PM

I am assuming you've stacked system-auth correctly, because you said:

Quote:

I even tried copying system-auth from a RH4/U2 NIS server which performs complexity to the RH4/U5 system - no luck.

So my next WAG is that your software environments are marginally different between the broken and working servers. Maybe you're just missing a package or two on the broken server.

Anyway, what I would do is install the strace package. Then fire up a script session and trace the system calls that passwd is making. For example:

Code:

$ strace passwd

Enter your current password when prompted, because you need it to get to the point that it's prompting for a new password. Follow these steps on the broken server and on a working server. Then compare the results and see where the broken one is falling down.

This is going to be a painstaking process (with a lot of output to sift through), but that's how I would approach it.

---

edit: Do you have a working RHEL 4.5 installation? If so, I'd compare against that so that you're comparing apples to apples...

VMSlives · 05-05-2009, 02:38 PM

Quote:

Originally Posted by anomie

I am assuming you've stacked system-auth correctly, because you said:

So my next WAG is that your software environments are marginally different between the broken and working servers. Maybe you're just missing a package or two on the broken server.

Anyway, what I would do is install the strace package. Then fire up a script session and trace the system calls that passwd is making. For example:

Code:

$ strace passwd

Enter your current password when prompted, because you need it to get to the point that it's prompting for a new password. Follow these steps on the broken server and on a working server. Then compare the results and see where the broken one is falling down.

This is going to be a painstaking process (with a lot of output to sift through), but that's how I would approach it.

---

edit: Do you have a working RHEL 4.5 installation? If so, I'd compare against that so that you're comparing apples to apples...

you have bailed me out again . the passwd binary was linked to yppasswd . I restored /usr/bin/passwd, all is well. Too many admins have root pw !!!

thanks once more