Bypass Dictionary Word password check for non-root users
We are trying to enforce some level of password complexity for our users on an RHEL6.7 server. We like to enforce the use of at least one special character, a minimum length, digits, etc. But what our users are encountering more often than not is the 'Dictionary Word' issue. Eg the password Sharp25! is met with the dictionary message, but !Sharp25 is accepted. Is complexity checked form L-R? Is there anyway of bypassing the dictionary check so passwords like Sharp25! are accepted.
Regards
Tariq
Responses
In RHEL6 by default PAM uses pam_cracklib.so to do checking when users attempt to change their passwords. You can see the current settings with, e.g.:
[root@r68 ~]# grep cracklib /etc/pam.d/{system,password}-auth
/etc/pam.d/system-auth:password requisite pam_cracklib.so try_first_pass retry=3 type=
/etc/pam.d/password-auth:password requisite pam_cracklib.so try_first_pass retry=3 type=
You can tweak this -- of course you'll want the man page: man pam_cracklib. Basically, there are credits for different things (like digits and upper case letters). Either the credits can override the dictionary-check or the dictionary check is, like you said, somewhat anchored to the left. (I'm not sure.)
All that said, we also have the pam_passwdqc.so module in RHEL6 and it doesn't do dictionary checking. That's really what you want. It's designed to allow passphrases with dictionary words. You'd basically replace the above-mentioned password requisite pam_cracklib.so lines with password requisite pam_passwdqc.so xxxx where xxxx is settings from man pam_passwdqc. That said, you could just start with defaults (which you'll see in the man page in parentheses under each setting), e.g.:
password requisite pam_passwdqc.so
Cheers.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
