Red Hat Bugzilla – Bug 17487
minlength in cracklib.so not used
Last modified: 2007-11-30 17:06:55 EST
Into the file "/etc/login.defs" which are related to shadow-utils package, changing the default parameter of PASS_MIN_LEN (Minimum acceptable password length) which is: PASS_MIN_LEN 5 to something like 8 or more doesn't work. The new parameter doesn't take effect and 5 are still the minimum. / / Gerhard Mourani
The /etc/login.defs file is deprecated; password strength is enforced by the call to the pam_securetty.so module in /etc/pam.d/system-auth. Specifically, adding a "minlen=8" to the line that includes it should do what you want.
Adding the following line: (password required /lib/security/pam_securetty.so minlen=8) to the "/etc/pam.d/system-auth" file do nothing!
Urk, I think I need to get more sleep. The password strength is enforced by pam_cracklib.so, which should already be used in the the system-auth file. Sorry about the mix-up.
Hum, it doesn't work again, I'm adding minlen=8 at the end of the line that read (password required /lib/security/pam_cracklib.so retry=3) to be (password required /lib/security/pam_cracklib.so retry=3 minlen=8) in the system-auth file without any result.
Hmmm.... I'm going to have to have a closer look, then.
When has the closer look been done? This bug was opened in September last year!!! I'm working on a project to get Linux in our +300 AIX server shop. And one of my task will be to decide if we should go with SuSE or with RedHat. I'm used to a great support from IBM and this bug report doesn't convince me that RedHat is providing a good support. Anyway, gmourani is right that adding the parameter minlen to pam_cracklib.so in /etc/pam.d/system-auth doesn't work. And it has cost me about 4 hours to figure out that I didn't do anything wrong. I am able to enforce the minimum password length when I do the following: - Put the following line in /etc/pam.d/passwd under comment: #password required /lib/security/pam_stack.so service=system-auth - Now add the following lines from /etc/pam.d/system-auth to /etc/pam.d/passwd: password required /lib/security/pam_cracklib.so retry=3 debug password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow debug password required /lib/security/pam_deny.so - Now add minlen to pam_cracklib.so in /etc/pam.d/passwd: password required /lib/security/pam_cracklib.so retry=3 minlen=20 This is working. minlen has no effect if it is set in system-auth. Regards, Werner
Making the above changes to the required /etc/pam.d/system-auth and /etc/pam.d/passwd files doesn't work with RH Linux 70. Below are the changes brings to these files. For /etc/pam.d/system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient /lib/security/pam_unix.so likeauth nullok md5 shadow auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_unix.so account required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so For /etc/pam.d/passwd: #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_cracklib.so retry=3 minlen=10 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so Any helps will be greatly appreciated. Regards,
Gerhard, I tested it on RH7.0. You need to keep in mind that this module includes a credit mechanism. E.g. if you define minlen=12, then you will get 1 credit for e.g. including a single digit number in your password, or for including a non-alphanumeric character. Getting 1 credit means that the module will accept a password of the length of minlen-credit. When you check the parameters of the cracklib module, you will see that it has some parameters that let you define what a credit is. But I never worked with the PAM modules before, so I don't know exactly yet how I have to set it up that it works the way I like. But here are some examples I tested: minlen The following password was accepted, was not accepted 10 qwertasdf qwertasd 12 qwertasdfgz qwertasdfg 14 qwertasdfgzxc qwertasdfgzx 14 qwertasdf1$ You can see that I got 1 credit for a alphanumeric character and a credit for each non-alphanumeric character. "qwertasdf1$" has a length of 11, 1 credit for alpha-numeric, 2 credits for non-alphanumeric character - "1" and "$" - which gives me a credit of 3, hence the password length of 11 was accepted. Hope this helps Werner
Got pulled off into looking at bugs in password-strength calculations. At any rate, the minimum length is adjusted by the mixture of types of characters used in the password. Using digits (up to the number specified with the "dcredit=" parameter, which defaults to 1) or uppercase letters ("ucredit") or lowercasse letters ("lcredit") or other types of letters ("ocredit") will decrease the minimum length by up to four. A password with 9 lowercase letters in it will pass a minimum length set to 10 unless "lcredit=0" is used, because a credit is granted for the use of a lowercase letter. If the mixture includes an uppercase letter, a lowercase letter, and a digit, then a minlength of 8 effectively becomes 5. This was not properly documented in any 0.72 version of the PAM package, but that has been rectified in PAM 0.74 in Raw Hide. gmourani, does this explain the behavior you're seeing?
> gmourani, does this explain the behavior you're seeing? No, the problem is that if for example I enter a passwd lenght of 6 (character & digits) , the system accept the passwd even if I set the minlen to 20.
Just doing a double checking pass over old bugs that for some reason didnt get closed. Seems to be working correctly (with the extra credit stuff which is confusing but not a security thing), as of current RH.
Just wanted to add some comments. The current pam_cracklib module on Red Hat Linux does not give the option to define: - a minimum number of lower case letters - a minimum number of upper case letters - a minimum number of digits - a minimum number of other characters for a password with minimum length x. Instead it's using the confusing credit thing. But I think the above options would be important. I wrote a patch for pam_cracklib.c were you can setup these restrictions by assigning negative numbers to lcredit, ucredit, dcredit, and ocredit. I documented it at: http://www.puschitz.com/Security.shtml, chapter "Setting Up Password Restrictions" You can find the procedure and the patch at http://www.puschitz.com/pam_cracklib_patch.shtml http://www.puschitz.com/pam_cracklib.c.patch Werner
Not fixed and working in AS 2.1 or 3. Customers are reporting this password required /lib/security/pam_cracklib.so retry=3 minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=2 minlength=40 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so I tried with both positve and negative credit values. I also tried with no credit values set at all. [eparis@dhcp59-149 eparis]$ passwd Changing password for user eparis. Changing password for eparis (current) UNIX password: New password: Retype new password: the password used was a1s2d3f4 which obviously is not 40 characters long no matter what we set the credit values to. This is found in both RHEL 2.1 and RHEL 3.
I checked Fedora Core 3. The PAM RPM that comes with FC3 has the enhancements I made to pam_cracklib. It is now possible to configure negative credit values and minlen is working. For example: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=40 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 The following password worked: A3#ocnwvnaiasofdiasdofiawoinwweoifaweasd The following passwords did not work: ab#ocnwvnaiasofdiasdofiawoinwweoifaweasd A3cocnwvnaiasofdiasdofiawoinwweoifaweasd A3#ocnwvnaiasofdiasdofiawoinwweoifaweas NOTE: Don't use the parameter minlength and minlen like in the example above. minlength does not exist. Here are configuration examples I added to the PAM doc, see file:///usr/share/doc/pam-0.77/html/pam-6.html#ss6.3 ========== And here is another example in case you don't want to use credits: #%PAM-1.0 # # These lines require the user to select a password with a minimum # length of 8 and with at least 1 digit number, 1 upper case letter, # and 1 other character # password required pam_cracklib.so \ dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 password required pam_pwdb.so use_authtok nullok md5 In this example we simply say that the password must have a minimum length of 8: #%PAM-1.0 # # These lines require the user to select a password with a mimimum # length of 8. He gets no credits and he is not forced to use # digit numbers, upper case letters etc. # password required pam_cracklib.so \ dcredit=0 ucredit=0 ocredit=0 lcredit=0 minlen=8 password required pam_pwdb.so use_authtok nullok md5 ========== Werner Puschitz http://www.puschitz.com/