Bug 17487 - minlength in cracklib.so not used
minlength in cracklib.so not used
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam (Show other bugs)
3.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brock Organ
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-13 21:51 EDT by Gerhard Mourani
Modified: 2007-11-30 17:06 EST (History)
2 users (show)

See Also:
Fixed In Version: pam-0.75-62
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-27 10:53:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gerhard Mourani 2000-09-13 21:51:51 EDT
Into the file "/etc/login.defs" which are related to shadow-utils package, changing the default parameter of PASS_MIN_LEN (Minimum 
acceptable password length) which is: PASS_MIN_LEN    5 to something like 8 or more doesn't work. The new parameter doesn't take effect 
and 5 are still the minimum.

/ / Gerhard Mourani
Comment 1 Nalin Dahyabhai 2000-09-13 22:57:05 EDT
The /etc/login.defs file is deprecated; password strength is enforced by the
call to the pam_securetty.so module in /etc/pam.d/system-auth.  Specifically,
adding a "minlen=8" to the line that includes it should do what you want.
Comment 2 Gerhard Mourani 2000-09-13 23:21:54 EDT
Adding the following line: (password   required   /lib/security/pam_securetty.so minlen=8) to the "/etc/pam.d/system-auth" file do nothing!
Comment 3 Nalin Dahyabhai 2000-09-14 09:57:24 EDT
Urk, I think I need to get more sleep.  The password strength is enforced by
pam_cracklib.so, which should already be used in the the system-auth file. 
Sorry about the mix-up.
Comment 4 Gerhard Mourani 2000-09-14 11:39:58 EDT
Hum, it doesn't work again, I'm adding minlen=8 at the end of the line that read (password required /lib/security/pam_cracklib.so retry=3) to be (password 
required /lib/security/pam_cracklib.so retry=3 minlen=8) in the system-auth file without any result.
Comment 5 Nalin Dahyabhai 2000-09-14 11:49:55 EDT
Hmmm.... I'm going to have to have a closer look, then.
Comment 6 Werner Puschitz 2001-01-28 19:05:26 EST
When has the closer look been done? This bug was opened in September last
year!!! 
I'm working on a project to get Linux in our +300 AIX server shop. And one of my
task will be to decide if we should go with SuSE or with RedHat. I'm used to a
great support
from IBM and this bug report doesn't convince me that RedHat is providing a good
support.

Anyway, gmourani is right that adding the parameter minlen to pam_cracklib.so in
/etc/pam.d/system-auth doesn't work. And it has cost me about 4 hours to figure
out that I didn't do anything wrong.

I am able to enforce the minimum password length when I do the following:

- Put the following line in /etc/pam.d/passwd under comment:
   #password   required     /lib/security/pam_stack.so service=system-auth
- Now add the following lines from /etc/pam.d/system-auth to /etc/pam.d/passwd:
   password    required      /lib/security/pam_cracklib.so retry=3 debug
   password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow debug
   password    required      /lib/security/pam_deny.so
- Now add minlen to pam_cracklib.so in /etc/pam.d/passwd:
   password    required      /lib/security/pam_cracklib.so retry=3 minlen=20

This is working. minlen has no effect if it is set in system-auth.

Regards,
Werner

Comment 7 Gerhard Mourani 2001-01-29 10:20:07 EST
Making the above changes to the required /etc/pam.d/system-auth and /etc/pam.d/passwd files doesn't work with RH Linux 70. Below are the changes 
brings to these files.

For /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth          sufficient     /lib/security/pam_unix.so likeauth nullok md5 shadow
auth          required      /lib/security/pam_deny.so
account     sufficient     /lib/security/pam_unix.so
account     required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

For /etc/pam.d/passwd:
#%PAM-1.0
auth           required      /lib/security/pam_stack.so service=system-auth
account      required      /lib/security/pam_stack.so service=system-auth
password    required      /lib/security/pam_cracklib.so retry=3 minlen=10
password    sufficient     /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

Any helps will be greatly appreciated.
Regards,
Comment 8 Werner Puschitz 2001-01-29 11:00:19 EST
Gerhard,
I tested it on RH7.0. You need to keep in mind that this module includes a
credit mechanism.
E.g. if you define minlen=12, then you will get 1 credit for e.g. including a
single digit number in your password, or for including a non-alphanumeric
character. Getting 1 credit means that the module will accept a password of the
length of minlen-credit. When you check the parameters of the cracklib module,
you will see that it has some parameters that let you define what a credit is. 

But I never worked with the PAM modules before, so I don't know exactly yet how
I have to set it up that it works the way I like. But here are some examples I
tested:

minlen    The following password was accepted,   was not accepted
10          qwertasdf                                            qwertasd
12          qwertasdfgz                                         qwertasdfg
14          qwertasdfgzxc                                      qwertasdfgzx
14          qwertasdf1$

You can see that I got 1 credit for a alphanumeric character and a credit for
each non-alphanumeric character. "qwertasdf1$" has a length of 11, 1 credit for
alpha-numeric, 2 credits for non-alphanumeric character - "1" and "$" - which
gives me a credit of 3, hence the password length of 11 was accepted.

Hope this helps
Werner
Comment 9 Nalin Dahyabhai 2001-01-29 14:55:37 EST
Got pulled off into looking at bugs in password-strength calculations.

At any rate, the minimum length is adjusted by the mixture of types of
characters used in the password.  Using digits (up to the number specified with
the "dcredit=" parameter, which defaults to 1) or uppercase letters ("ucredit")
or lowercasse letters ("lcredit") or other types of letters ("ocredit") will
decrease the minimum length by up to four.

A password with 9 lowercase letters in it will pass a minimum length set to 10
unless "lcredit=0" is used, because a credit is granted for the use of a
lowercase letter.  If the mixture includes an uppercase letter, a lowercase
letter, and a digit, then a minlength of 8 effectively becomes 5.

This was not properly documented in any 0.72 version of the PAM package, but
that has been rectified in PAM 0.74 in Raw Hide.

gmourani, does this explain the behavior you're seeing?
Comment 10 Gerhard Mourani 2001-01-29 19:37:00 EST
> gmourani, does this explain the behavior you're seeing?
No, the problem is that if for example I enter a passwd lenght of 6 (character & digits) , the system accept the passwd even
if I set the minlen to 20.
Comment 11 Alan Cox 2002-12-18 10:03:50 EST
Just doing a double checking pass over old bugs that for some reason didnt get
closed.

Seems to be working correctly (with the extra credit stuff which is confusing
but not a security thing), as of current RH.


Comment 12 Werner Puschitz 2002-12-19 09:55:49 EST
Just wanted to add some comments.

The current pam_cracklib module on Red Hat Linux does not give the option to define:
- a minimum number of lower case letters
- a minimum number of upper case letters
- a minimum number of digits
- a minimum number of other characters
for a password with minimum length x. 

Instead it's using the confusing credit thing. But I think the above options
would be important.

I wrote a patch for pam_cracklib.c were you can setup these restrictions by
assigning negative numbers to lcredit, ucredit, dcredit, and ocredit. I
documented it at:
http://www.puschitz.com/Security.shtml, chapter "Setting Up Password Restrictions"

You can find the procedure and the patch at 
http://www.puschitz.com/pam_cracklib_patch.shtml
http://www.puschitz.com/pam_cracklib.c.patch

Werner
Comment 13 Eric Paris 2004-10-11 18:37:35 EDT
Not fixed and working in AS 2.1 or 3.  Customers are reporting this

password    required      /lib/security/pam_cracklib.so retry=3
minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=2 minlength=40
type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so


I tried with both positve and negative credit values.  I also tried
with no credit values set at all.

[eparis@dhcp59-149 eparis]$ passwd
Changing password for user eparis.
Changing password for eparis
(current) UNIX password: 
New password: 
Retype new password: 

the password used was a1s2d3f4    which obviously is not 40 characters
long no matter what we set the credit values to.   This is found in
both RHEL 2.1 and RHEL 3.
Comment 16 Werner Puschitz 2004-11-18 23:19:15 EST
I checked Fedora Core 3. The PAM RPM that comes with FC3 has the
enhancements I made to pam_cracklib. It is now possible to configure
negative credit values and minlen is working.

For example:
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
minlen=40 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

The following password worked:
A3#ocnwvnaiasofdiasdofiawoinwweoifaweasd

The following passwords did not work:
ab#ocnwvnaiasofdiasdofiawoinwweoifaweasd
A3cocnwvnaiasofdiasdofiawoinwweoifaweasd
A3#ocnwvnaiasofdiasdofiawoinwweoifaweas

NOTE: Don't use the parameter minlength and minlen like in the example
above. minlength does not exist.

Here are configuration examples I added to the PAM doc, see
file:///usr/share/doc/pam-0.77/html/pam-6.html#ss6.3

==========
And here is another example in case you don't want to use credits:
#%PAM-1.0
#
# These lines require the user to select a password with a minimum
# length of 8 and with at least 1 digit number, 1 upper case letter,
# and 1 other character
#
password  required pam_cracklib.so \
               dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password  required pam_pwdb.so use_authtok nullok md5

In this example we simply say that the password must have a minimum
length of 8:

#%PAM-1.0
#
# These lines require the user to select a password with a mimimum
# length of 8. He gets no credits and he is not forced to use
# digit numbers, upper case letters etc.
#
password  required pam_cracklib.so \
               dcredit=0 ucredit=0 ocredit=0 lcredit=0 minlen=8
password  required pam_pwdb.so use_authtok nullok md5
==========

Werner Puschitz
http://www.puschitz.com/

Note You need to log in before you can comment on or make changes to this bug.