Archive for the tag 'pam_cracklib'

Linux Password Security with pam_cracklib

Standard Unix reusable passwords are not really a good authentication system. In an effort to address this shortcoming, the PAM module pam_cracklib was developed for Linux systems.

Enabling pam_cracklib

The pam_cracklib module is enabled via the system’s standard PAM configuration interface. On Debian systems, this is the /etc/pam.d/common-password file (but it’s /etc/pam.d/system-auth on RedHat-derived systems.

The typical configuration looks something like this:

For debian:

password required retry=3 minlen=12 difok=4
password required md5 remember=12 use_authtok

For Redhat:

To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments highlighted in blue:

auth required /lib/security/$ISA/
auth sufficient /lib/security/$ISA/ likeauth nullok
auth required /lib/security/$ISA/
account required /lib/security/$ISA/
account sufficient /lib/security/$ISA/ uid < 100 quiet
account required /lib/security/$ISA/
password requisite /lib/security/$ISA/ retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/ nullok use_authtok md5 shadow
password required /lib/security/$ISA/
session required /lib/security/$ISA/
session required /lib/security/$ISA/