Password Policies

[jwant]

In redhat 7.3, is there a way to change the password policy. I do not want passwords to fail because they are in the dictionary.

If this is done in pam.d, can someone tell me what to do to change this?

 

[fluid11]

Do the password changes fail, or does it just issue a warning message? Most just issue the warning and do allow you to use the password.

ChrisP

 

[jwant]

They fail all together. It says BAD password and then asks for a new password. I kow that it has something to do with the pam_cracklib.so, I just need to know what variable or option I can add to lessen the requirements as to what is a good password. I can see how to make it harder, but not simpler.

 

[danielhozac]

On my RedHat 7.3 system, I can use passwords that are in the dictionary. This is what it looks like:

[root@localhost /]# passwd someuser
Changing password for user someuser.
New password: 
BAD PASSWORD: it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@localhost /]#

This is a standard install, not much has been changed except for webservices. //Daniel

 

[jaymzter]

danielhozac,
your test isn't a good one because there are restrictions don't apply to root

 

[jwant]

Yes, that is correct, these rules apply only when the user is trying to change their own password. I have my system so the UNIX and Samba password are to sync.

 

[danielhozac]

Then why don't you su to root and change it from there? I never have any issues as I always work as root. //Daniel

 

[jwant]

It is not about me changing passwords, it is about my users changing passwords, and I am not about to hand out the root password to everyone.

 

[DTVjgarner]

passwd uses crack to check passwords this is set in the /etc/pam.d/passwd file
looking for something like this:
passwd password requisite /usr/lib/security/pam_cracklib.so retry=3
passwd password required /usr/lib/security/pam_unix.so use_authtok

Now I am not sure on this but I think if you comment out the line pam_cracklib passwd should no longer do password checking using crack

 

[danielhozac]

DTVjgarner is correct, disable crack since it's bad for your health ;-).
But on my RedHat 7.3 system the /etc/pam.d/passwd file only contain these lines:

#%PAM-1.0
auth       required	/lib/security/pam_stack.so service=system-auth
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth

Any thoughts? //Daniel

 

[fluid11]

I'm not sure if this will work, but it can't hurt to try. Edit the /etc/pam.d/system-auth file. Change this line...

password required /lib/security/pam_cracklib.so retry=3 type=

...to...

password optional /lib/security/pam_cracklib.so retry=3 type=


Let us know if that worked...

ChrisP

 

[jwant]

Well, I guess the good news is that I tried everything that you guys have suggested, I appreciate the effort. DTVjgarner the passwd file is the wrong place to try to change all this. The pam_stack.so, says to call another file in the pam.d directory, in this case it calls system-auth. When you comment out the cracklib, you eliminate the password sync that happens between samba and linux/unix. It appears that I will be going around to each user and doing their passwords at thier computers, or being mean and making them use passwords that are tougher to crack.