LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2019, 08:36 AM   #1
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 840

Rep: Reputation: 286Reputation: 286Reputation: 286
Question Customization (more details) of passwd output command (via libpam-cracklib) during user account password change


As presented in my other thread, I've just put into place a new policy for user account passwords via libpam-cracklib.

So now, some checks are done when a user wants to modify his/her password (enough lowercase/uppercase/digit/special characters, password not used before, password different enough from the previous one and so on).
However, when the new password entered by the user doesn't satisfy those criteria, the output is always the same (except mostly when an old password is rotated or is a palindrome):
Code:
BAD PASSWORD: it is too simplistic/systematic
Is there a way to customize this output so the user knows what to correct in his/her new password to comply with the new policy? For example:
Code:
BAD PASSWORD: your password must contain at least 1 uppercase letter
BAD PASSWORD: your password must contain a digit
...
If not possible, is there a way to display my policy criteria as soon as the user typed passwd so he is informed beforehand about the criteria to comply with?

Many thanks!
 
Old 07-12-2019, 11:33 AM   #2
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,003

Rep: Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883
is it a script? if yes, then I would say yes it is.
You just need to find where it is outputting that info then modify it to say what you want.

If not possible, is there a way to display my policy criteria as soon as the user typed passwd so he is informed beforehand about the criteria to comply with?

You'd still have to grab it off the cli then check it, then reply, maybe run a loop to ask again, and repeat until the password compiles then allow it to be accepted.

I am not familiar with the inter working, but I am sure a lot of it is scripts, so you should be able to intervene and add your needed modifications to suit your needs.

Last edited by BW-userx; 07-12-2019 at 11:37 AM.
 
Old 07-14-2019, 04:21 PM   #3
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 840

Original Poster
Rep: Reputation: 286Reputation: 286Reputation: 286
^ I didn't mention it BW-userx but it's not inside a script at the time being...
As you explained, it could certainly do the job but I really prefer to keep things simple (KISS) and not having to parse and cover myself all the different use cases following the user inputs (somewhat heavy, static and not very convenient).
I would have guessed passwd and PAM could handle it together but that's just a supposition from me
 
Old 07-14-2019, 04:38 PM   #4
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,003

Rep: Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883
Well,
I am not a savvy on PAM, but have you looked through this?
https://www.systutorials.com/docs/li...pam_pwquality/
 
2 members found this post helpful.
Old 07-14-2019, 05:35 PM   #5
rnturn
Senior Member
 
Registered: Jan 2003
Location: Illinois (Chicago area)
Distribution: CentOS, MacOS, [Open]SuSE, Raspian, Red Hat, Slackware, Solaris, Tru64
Posts: 1,430

Rep: Reputation: 120Reputation: 120
You could always write a wrapper for the passwd command that displays the rules you want the user to use when setting their password and then simply invokes 'passwd'.

Of course, the more knowledgable user may know about 'passwd' and skip using your wrapper only to get the vague "bad password" message anyway.

What about putting a one liner in the motd file that very briefly explains the requirements:

"Remember: New passwords must contain mixed case characters and at least 1 digit."

Short, sweet, and to the point. The only trouble with having this in '/etc/motd' is that people may begin to ignore it if it doesn't change regularly. (You wouldn't believe how many times I've encountered people who totally missed the notices about the scheduled downtime for HW upgrades that had been in '/etc/motd' for a week or more.) At one time, I had a cron job that updated the motd with cluster utilization information along with the important notices so they paid a little more attention to the content.

Note that you have to make sure that the user login process is actually going to display '/etc/motd' during login. SSH might need to be tweaked, the system-wide profiles in '/etc', etc. all might need to have changes made.
 
Old 07-17-2019, 05:47 AM   #6
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 840

Original Poster
Rep: Reputation: 286Reputation: 286Reputation: 286
Quote:
Originally Posted by BW-userx View Post
Well,
I am not a savvy on PAM, but have you looked through this?
https://www.systutorials.com/docs/li...pam_pwquality/
Excellent, thanks for the hint!
I've installed libpam-pwquality, edited /usr/share/pam-configs/pwquality, run pam-auth-update and voilą!
pwquality is more verbose than cracklib and allows some more features (consecurive characters and number of required classes notably).
Post marked as [SOLVED]

NB: I'm not sure about how to use /etc/security/pwquality.conf... Indeed, I'm setting up my options in /usr/share/pam-configs/pwquality instead (everything is commented in pwquality.conf).
Is it just a matter of preference/choice here?
 
Old 07-17-2019, 07:31 AM   #7
sgrlscz
Member
 
Registered: Aug 2008
Posts: 114

Rep: Reputation: 82
Quote:
Originally Posted by l0f4r0 View Post
Excellent, thanks for the hint!
I've installed libpam-pwquality, edited /usr/share/pam-configs/pwquality, run pam-auth-update and voilą!
pwquality is more verbose than cracklib and allows some more features (consecurive characters and number of required classes notably).
Post marked as [SOLVED]

NB: I'm not sure about how to use /etc/security/pwquality.conf... Indeed, I'm setting up my options in /usr/share/pam-configs/pwquality instead (everything is commented in pwquality.conf).
Is it just a matter of preference/choice here?
You should not be editing /usr/share/pam-configs/pwquality. The files in /usr/share/pam-configs are package config declarations and should not be edited.

Your configuration should be put in /etc/security/pwquality.conf.
 
2 members found this post helpful.
Old 07-19-2019, 11:40 AM   #8
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 840

Original Poster
Rep: Reputation: 286Reputation: 286Reputation: 286
Quote:
Originally Posted by sgrlscz View Post
You should not be editing /usr/share/pam-configs/pwquality. The files in /usr/share/pam-configs are package config declarations and should not be edited.

Your configuration should be put in /etc/security/pwquality.conf.
Thanks for the advice

Do you know how I can retrieve the original /usr/share/pam-configs files? dpkg-reconfigure libpam-pwquality returns a 0 status code but doesn't reset those files to their initial content.
It seems that those files have precedence over /etc/security ones for modification of /etc/pam.d/common-password so I cannot apply my changes via /etc/security/pwquality.conf now...

As I edited /usr/share/pam-configs/unix as well, can you tell me how to proceed under /etc/security in the same vein please?

Last edited by l0f4r0; 07-19-2019 at 11:43 AM.
 
Old 07-19-2019, 01:59 PM   #9
sgrlscz
Member
 
Registered: Aug 2008
Posts: 114

Rep: Reputation: 82
The following should recreate the files in /usr/share/pam-configs:

Code:
apt install --reinstall libpam-pwquality libpam-runtime
That's one of the reasons you don't use the /usr/share/pam-configs files - package changes will replace those files. The packages don't treat those as user-modifiable files. For example, the reinstall will detect if you've changed /etc/pam.d/common-password, and ask if you want to replace it with the package version, but it won't ask you about files in /usr/share/pam-configs.

The /etc/security/pwquality.conf defines the defaults for pam_pwquality.so. If you set different settings using options in /etc/pam.d/common-password, I believe those will take precedence.
 
Old 07-21-2019, 12:22 PM   #10
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 840

Original Poster
Rep: Reputation: 286Reputation: 286Reputation: 286
^ Ok, thanks sgrlscz, your command's worked and reset my /usr/share/pam-configs/{unix,pwquality} files

I won't modify them by hand anymore. However, can I modify /etc/pam.d/common-passwd manually or is supposed to be handled by pam-auth-update exclusively?
I'm asking because I would like to add options "remember=400" for pam_unix.so and "enforce_for_root" for pam_pwquality.so now and I don't know where to specify them otherwise (adding enforce_for_root in /etc/security/pwquality.conf doesn't work)...
 
Old 07-22-2019, 06:55 AM   #11
sgrlscz
Member
 
Registered: Aug 2008
Posts: 114

Rep: Reputation: 82
You can modify /etc/pam.d/common-passwd by hand.
 
Old 07-25-2019, 01:49 PM   #12
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: Debian
Posts: 840

Original Poster
Rep: Reputation: 286Reputation: 286Reputation: 286
^ Ok, thanks. There seems to be no conflict during pam-auth-update
So to summarize, can one state that best practice is to change files directly inside /etc/pam.d directory except if there are some explicit configuration files elsewhere like in /etc/security?

Last edited by l0f4r0; 07-25-2019 at 01:50 PM.
 
  


Reply

Tags
pam, password, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Passwd command is showing "BAD PASSWORD:" as output but there was nothing after the colon, where there should be some reason output. yogesh95 Linux - Software 4 03-31-2016 07:50 AM
[SOLVED] Set password policy per-user using cracklib? j_h Linux - Security 5 12-09-2013 09:43 PM
[PHP] checking password strength -- cracklib recommended? zirias Programming 7 07-18-2010 06:52 AM
user can't change user account passwd rcmonroig Linux - Newbie 3 11-09-2009 09:44 PM
Authentication failure after change to cracklib Johnomal Linux - Newbie 6 09-07-2009 12:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration