Password rules are ignored by pam_cracklib.so

Latest response

O/S = Red Hat Enterprise Linux Server release 6.7 (Santiago)

Hi, I am attempting to toughen up the password rules on an existing RHEL6 server but my modified /etc/pam.d/system-auth is not working. All I want to do is have the following....

min length = 8 chars
min lower case = 1
min upper case = 1
min digits =1

I therefore changed this line:
password requisite pam_cracklib.so try_first_pass retry=3 type=

..to read..
password required pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=0 difok=3

To test, I created a new account, assigned a simple password, then expired it using "chage -d0 ", logged in with simple password, it forced me to change it but it let me enter a password that didn't follow the rules such as all upper case when it needs at least 1 lower case for example.

Any ideas?

Responses

You need to make changes both in /etc/pam.d/system-auth and password-auth files.

That has worked thanks, I didn't realize there was a 2nd file to change. I've read loads of documents on this and none referred to password-auth. It is an exact copy of system-auth so that's a bit bizarre. One thing I did notice is that it doesn't prompt you to say that you need to enter an upper/lower case or digit if you get it wrong. It does on RHEL3, is that a security feature so you don't get clues?

Glad it worked. yes, i'd say that is security feature. Let see what others would say on this.

The system should never reveal to a user any information about complexity requirements as that would allow an attacker to reduce the number of possible combinations that need to be checked while performing a brute force password attack.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.