LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2019, 08:36 AM   #1
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 818

Rep: Reputation: 285Reputation: 285Reputation: 285
Question Customization (more details) of passwd output command (via libpam-cracklib) during user account password change


As presented in my other thread, I've just put into place a new policy for user account passwords via libpam-cracklib.

So now, some checks are done when a user wants to modify his/her password (enough lowercase/uppercase/digit/special characters, password not used before, password different enough from the previous one and so on).
However, when the new password entered by the user doesn't satisfy those criteria, the output is always the same (except mostly when an old password is rotated or is a palindrome):
Code:
BAD PASSWORD: it is too simplistic/systematic
Is there a way to customize this output so the user knows what to correct in his/her new password to comply with the new policy? For example:
Code:
BAD PASSWORD: your password must contain at least 1 uppercase letter
BAD PASSWORD: your password must contain a digit
...
If not possible, is there a way to display my policy criteria as soon as the user typed passwd so he is informed beforehand about the criteria to comply with?

Many thanks!
 
Old 07-12-2019, 11:33 AM   #2
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware 14.2 current / ArcoLinux / Void Linux
Posts: 8,826

Rep: Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840
is it a script? if yes, then I would say yes it is.
You just need to find where it is outputting that info then modify it to say what you want.

If not possible, is there a way to display my policy criteria as soon as the user typed passwd so he is informed beforehand about the criteria to comply with?

You'd still have to grab it off the cli then check it, then reply, maybe run a loop to ask again, and repeat until the password compiles then allow it to be accepted.

I am not familiar with the inter working, but I am sure a lot of it is scripts, so you should be able to intervene and add your needed modifications to suit your needs.

Last edited by BW-userx; 07-12-2019 at 11:37 AM.
 
Old 07-14-2019, 04:21 PM   #3
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 818

Original Poster
Rep: Reputation: 285Reputation: 285Reputation: 285
^ I didn't mention it BW-userx but it's not inside a script at the time being...
As you explained, it could certainly do the job but I really prefer to keep things simple (KISS) and not having to parse and cover myself all the different use cases following the user inputs (somewhat heavy, static and not very convenient).
I would have guessed passwd and PAM could handle it together but that's just a supposition from me
 
Old 07-14-2019, 04:38 PM   #4
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware 14.2 current / ArcoLinux / Void Linux
Posts: 8,826

Rep: Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840Reputation: 1840
Well,
I am not a savvy on PAM, but have you looked through this?
https://www.systutorials.com/docs/li...pam_pwquality/
 
1 members found this post helpful.
Old 07-14-2019, 05:35 PM   #5
rnturn
Senior Member
 
Registered: Jan 2003
Location: Illinois (Chicago area)
Distribution: CentOS, MacOS, [Open]SuSE, Raspian, Red Hat, Slackware, Solaris, Tru64
Posts: 1,378

Rep: Reputation: 108Reputation: 108
You could always write a wrapper for the passwd command that displays the rules you want the user to use when setting their password and then simply invokes 'passwd'.

Of course, the more knowledgable user may know about 'passwd' and skip using your wrapper only to get the vague "bad password" message anyway.

What about putting a one liner in the motd file that very briefly explains the requirements:

"Remember: New passwords must contain mixed case characters and at least 1 digit."

Short, sweet, and to the point. The only trouble with having this in '/etc/motd' is that people may begin to ignore it if it doesn't change regularly. (You wouldn't believe how many times I've encountered people who totally missed the notices about the scheduled downtime for HW upgrades that had been in '/etc/motd' for a week or more.) At one time, I had a cron job that updated the motd with cluster utilization information along with the important notices so they paid a little more attention to the content.

Note that you have to make sure that the user login process is actually going to display '/etc/motd' during login. SSH might need to be tweaked, the system-wide profiles in '/etc', etc. all might need to have changes made.
 
  


Reply

Tags
pam, password, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Passwd command is showing "BAD PASSWORD:" as output but there was nothing after the colon, where there should be some reason output. yogesh95 Linux - Software 4 03-31-2016 07:50 AM
[SOLVED] Set password policy per-user using cracklib? j_h Linux - Security 5 12-09-2013 09:43 PM
[PHP] checking password strength -- cracklib recommended? zirias Programming 7 07-18-2010 06:52 AM
user can't change user account passwd rcmonroig Linux - Newbie 3 11-09-2009 09:44 PM
Authentication failure after change to cracklib Johnomal Linux - Newbie 6 09-07-2009 12:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration