3

Everything I find online mentions commenting out cracklib... but it doesn't exist in my system-auth file.

I would like to disable the dictionary check that CentOS does when a user is changing their password.

This is my system-auth file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retr$
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_a$
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet$
session     required      pam_unix.so
Calab
  • 131
  • 1
  • 1
  • 3

2 Answers2

2

With the strong warning that you shouldn't be trying to disable this to begin with:

The dictionary check is handled by cracklib, via pam_pwquality, which you should have seen present in the /etc/pam.d/system-auth file.

The man page for the current version of pam_pwquality suggests an option to disable the dictionary check:

       dictcheck=N
           If nonzero, check whether the password (with possible
           modifications) matches a word in a dictionary. Currently the
           dictionary check is performed using the cracklib library. The
           default is 1 which means that this check is enabled.

The man page also states that you can add this into /etc/security/pwquality.conf or as an option in /etc/pam.d/system-auth (which may be overwritten by system tools, so you should avoid altering it when you can).

Unfortunately the version of pam_pwquality shipped by Red Hat in EL 7 doesn't support the dictcheck option. So your only real solution is to not use pam_pwquality at all. Note that commenting this out will also disable all of the other checks it performs, such as minimum password length and character complexity.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
0

The best solution that I have found for this is to create a new, empty cracklib dictionary. The dictcheck = 0 option does not seem to work on CentOS 7.

The default cracklib dictionary is under /usr/share/cracklib/. Create a new empty word file and build a dictionary from it:

touch /usr/share/words
create-cracklib-dict /usr/share/words

WARNING: This will overwrite your default dictionary, so be sure and back up the /usr/share/cracklib/pw_dict.* files if you want to revert.

jlyonsmith
  • 101
  • 1
  • This did not work with an empty `/usr/share/words` file. It did work just by installing `words` first, though. – wim Mar 24 '20 at 18:20