Red Hat Bugzilla – Bug 91444
pam_cracklib.so, does not support password requirements correctly
Last modified: 2015-01-07 19:05:09 EST
Description of problem:
At our company we require the password to be 8 characters, and contain three of
the following (a lower case character, a upper case character, a digit, or a
special character). The only way I have been able to implement this on Red Hat
Linux is to set the following line in /etc/pam.d/system-auth.
password required /lib/security/pam_cracklib.so retry=3 minlen=11
lcredit=1 ucredit=1 dcredit=1 ocredit=1
This works somewhat, but users can still enter 11 lower case characters and it
I found some documentation that says -1 will require at least one, but that
does not seem to work in Red Hat.
Here is the link to the documentation I found:
Another problem with pam_cracklib.so in Red Hat is the Red Hat utilities over
write any changes that were manually entered. So if someone runs authconfig
after the above changes were entered, the default settings are put back and any
changes are deleted.
Version-Release number of selected component (if applicable):
1. configure /etc/pam.d/system-auth
2. attempt to change a password with different combinations to see if the
expected results happen
3. run authconfig, after running check the settings in /etc/pam.d/system-auth,
they should now be removed
I can find no configuration were I can setup the min number of characters is 8
and require the user to enter special characters. authconfig always removes
I think authconfig needs to either contain a way to set these settings, or it
needs to not erase changes which have been entered to /etc/pam.d/system-auth.
I would also like some kind of way to setup password requirements that users
cannot get around by entering a large number of characters.
I also have found this same problem in RedHat 6.2-9.0 and Mandrake 8.1-9.1. On
each of these I tried the example given for /etc/pam.d/system-auth in the URL
above for 8 characters minimum, with at least 1 upper case, 1 digit, and 1 other
"password required pam_cracklib.so difok=3 dcredit=-1 ucredit=-1 ocredit=-1