On 8/24/05, Stephen Hughes
Hi Group
I'm having problems with the pam_cracklib module in PAM. I'm following the example from the PAM System Administrators' Guide for Cracklib pluggable password strength-checker where they say the user will be required to select a password with a minimum length of 8 and with at least 1 digit number, 1 upper case letter and 1 other character. I modified my /etc/pam.d/passwd file like so:
password required pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password required pam_unix2.so use_authtok nullok md5
The example mentions the use of pam_pwdb.so which I don't have on my SLES9 server so I'm using the pam_unix2.so which I've seen on the web as the alternative.
I then logged in as an ordinary user and proceed to change my password to "ijnbhuy" It allows me to do so without any problems. The password is only 7 characters and does not contain any digits, uppercase letters or other (symbols) characters. This goes against the PAM module yet it was successful in changing my password.
In the end I would like to get the restrictions described in the cracklib module working for more secure authentication on my server. Any help getting this fixed will be much appreciated.
Stephen
Hi Stephen, we've got a similar setup working here under SLES9 and I could just try to think of some pits that could be there (I've got no real explanation by now).. - The line e.g. "password required pam_cracklib.so type=LDAP retry=3 difok=4 difignore=11 minlen=6 dcredit=-1 ucredit=0 lcredit=-1 ocredit=0 debug" is set in all login relevant pam.d files ( such as login, passwd, sshd, su, ..). Note that "debug" here could help you to see if the password was passed through pam_cracklib.so, but it should not be kept in production use, as it could write the cleartext passwords and hashes to syslog! - in /etc/security/pam_pwcheck.conf the "use_cracklib" parameter was removed, as the pam_cracklib.so is called directly in pam.d files. ( e.g.: password: minlen=8 no_obscure_checks md5 debug remember=15 ) - if this does not work you could also check the order of the pam-modules call Hope this helps, Markus