0

I am configuring password rules in linux system(RedHat Enterprise linux 5). By google, I found that using pam_cracklib will make simple check automatically. That is, pam_cracklib will automatically check if the new password is the reverse one of the previous password. If yes, it will reject the new password.

However, I tried a new password just the reverse of the previous one, the new password can take effective! That is, pam_cracklib will allow the new password(reverse of the previous one). Here is my configuration:

/etc/pam.d/system-auth:
password    required    pam_cracklib.so try_first_pass retry=3  minlen=6

Could anyone tell me if there is something wrong with my configuration? Or there are some bugs with pam_cracklib?

Thanks a lot!

zhaojing
  • 195
  • 2
  • 3
  • 11

1 Answers1

0

You can't use try_first_pass with cracklib. It should check whatever the password is a palindrome or rotation of old password by default.

What's more, other modules (probably pam_unix.so or pam_ldap.so) in the stack must use the use_authok flag or they will be allowed to ask the user for password if previous module didn't accept the provided password.

In short, try:

password    required    pam_cracklib.so retry=3  minlen=6
password    required    pam_unix.so use_authok nullok md5

The nullok flag tells the module it's OK to change password from an empty one (the usual method of forcing a password change in UNIX systems), you can remove it if you don't use this functionality.

Hubert Kario
  • 6,361
  • 6
  • 36
  • 65
  • But It seems the method you proposed still can't solve the problem. – zhaojing Sep 30 '10 at 02:45
  • For example, if I first set passwd:1qaz2wsx, the second I set passwd:xsw2zaq1. It works. So the rotation checking seems doesn't take effective. – zhaojing Sep 30 '10 at 02:46
  • The palindrome is just for a new password (you can't have a "qwertrewq" password). Rotation checks only for simple word rotation, as when you start a word in the middle and add the start to the end: so with old password "password", the new password can't be "sswordpa" or "wordpass". As such, I don't think you should worry about this combination, it's rather obscure. Anyway, you may be interested in discussion in http://serverfault.com/questions/4221/user-password-age-complexity-policy. – Hubert Kario Sep 30 '10 at 08:02
  • Hobert, thanks a lot for your help and your suggested webpage. – zhaojing Sep 30 '10 at 08:40
  • In fact, the information by google makes me confused. – zhaojing Sep 30 '10 at 08:42
  • http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html – zhaojing Sep 30 '10 at 08:43
  • Learn from the above http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html, it says: pam_cracklib will check "Is the new password just the old password with the letters reversed ("password" vs. "drowssap") or rotated ("password" vs. "asswordp") " – zhaojing Sep 30 '10 at 08:44
  • Thanks a lot for your suggested webpage. It's really great of help! – zhaojing Sep 30 '10 at 08:47
  • The deer-run site is wrong, I too first thought that the module didn't work properly, I got the simple rotation from source code. The exact thing that the module checks is whatever the new password is a substring of the concatenated old password, in the above example, whatever its a substring of "passwordpassword". – Hubert Kario Sep 30 '10 at 09:00
  • Hubert, thanks a lot for your response. The deer-run site really makes me confused for two days. Thanks :-) – zhaojing Sep 30 '10 at 09:09