cracklib changes to enforce password complexity.

Tue, 18 Feb 2003 11:43:35 -0800 

I was playing around with enforcing password security on my system.
You can do this with the following method:
/etc/login.defs

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password
changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password
expires.
#
PASS_MAX_DAYS   180
PASS_MIN_DAYS   0
PASS_MIN_LEN    8

You cannot enforce any sort of password complexity, unless you use the
cracklib pam modules, here:
/etc/pam.d/password
#%PAM-1.0
#auth      required    /lib/security/pam_nologin.so
#auth      required    /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_cracklib.so minlen=8 retry=3 
password   required     /lib/security/pam_unix.so shadow use_authtok
service=system-auth
session    required     /lib/security/pam_unix.so


I ran across a patch to apply password complexity to the pam cracklib
library, and was curious to know if this feature was already implemented in
the pam cracklib library.
The patch is here:

        http://www.puschitz.com/Security.shtml

And the procedure is here:
        http://www.puschitz.com/pam_cracklib_patch.shtml

Comments from the author:
"When you check the pam_cracklib documentation, you will notice that my
patch here for pam_cracklib has been applied to pam_cracklib at
http://sourceforge.net. However, at this time Red Hat has not applied this
patch to their Linux distribution yet."

Is Redhat planning to put these cracklib changes in their distribution?


And to use it you need to apply the following line change in your
/etc/pam.d/password file, see lines above for sample file:

password   required    /lib/security/pam_cracklib.so minlen=8 lcredit=1
ucredit=1 dcredit=1 ocredit=1 difok=2 retry=3

This example allows you to force new passwords to have 1 lowercase, 1 ucase,
1 digit, 1 other character of some sort, and be at lest 2 characters
different from previous passwords, it allows 3 attempts the change the
password.



> --Luke
> --Computer Science Sysadmin, MSU Bozeman 
> --admin(AT)cs.montana.edu 994-3931 




-- 
Psyche-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/psyche-list

Reply via email to