Red Hat Bugzilla – Bug 117401
using minlen=N does not seems to work with pam_cracklib
Last modified: 2015-01-07 19:07:28 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Description of problem:
I try without success to have cracklib force users to have a password
longer than 8 caracter.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
However, user are still allowed to change their password to a shorter
Note that if i set minlen=2 , i still have the 6 caracter lenght
limitation active too.
I m using pam-0.75-46.7.3
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.in /etc/pam.d/system-auth add minlen=8 (or whatever integer you
prefer not equal to 6)
2. log in as a user, try to change the password with passwd . Try to
use a password too short.
Actual Results: password get changed
Expected Results: password too short error message
minlen alone is not suffient, you also have to set the following
ocredit=N Weight, digits, upper, lower, other characters with
count N. Use these values to compute the
'unsimplicity' of the password.
Looking at the source code, it seems that the actual minimum length is
computed as minlen - dcredit - ucredit - lcredit - ocredit, basically
it is not a minimum length but rather a "minimum semplicity".
Setting minlen to 8 for example, and the "credit" parameters to 0
should yield to the desired result.
By playing with minlen and the credit parameters, you can allow for
constraints like "at least one digit", "at least one capital letter"
and so on.
I hope this helps.