Bug 91444 - pam_cracklib.so, does not support password requirements correctly
Summary: pam_cracklib.so, does not support password requirements correctly
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
(Show other bugs)
Version: 7.3
Hardware: All Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2003-05-22 17:18 UTC by Chris
Modified: 2015-01-08 00:05 UTC (History)
2 users (show)

Fixed In Version: FC2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-21 15:03:11 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Chris 2003-05-22 17:18:57 UTC
Description of problem:
At our company we require the password to be 8 characters, and contain three of 
the following (a lower case character, a upper case character, a digit, or a 
special character).  The only way I have been able to implement this on Red Hat 
Linux is to set the following line in /etc/pam.d/system-auth.

password    required      /lib/security/pam_cracklib.so retry=3 minlen=11 
lcredit=1 ucredit=1 dcredit=1 ocredit=1

This works somewhat, but users can still enter 11 lower case characters and it 

I found some documentation that says -1 will require at least one, but that 
does not seem to work in Red Hat.
Here is the link to the documentation I found: 

Another problem with pam_cracklib.so in Red Hat is the Red Hat utilities over 
write any changes that were manually entered.  So if someone runs authconfig 
after the above changes were entered, the default settings are put back and any 
changes are deleted.

Version-Release number of selected component (if applicable):

How reproducible:
1. configure /etc/pam.d/system-auth
2. attempt to change a password with different combinations to see if the 
expected results happen
3. run authconfig, after running check the settings in /etc/pam.d/system-auth, 
they should now be removed
Actual results:
I can find no configuration were I can setup the min number of characters is 8 
and require the user to enter special characters.  authconfig always removes 
any changes.

Expected results:
I think authconfig needs to either contain a way to set these settings, or it 
needs to not erase changes which have been entered to /etc/pam.d/system-auth.  
I would also like some kind of way to setup password requirements that users 
cannot get around by entering a large number of characters.

Additional info:

Comment 1 Virtual Janitor 2003-09-04 21:21:22 UTC
I also have found this same problem in RedHat 6.2-9.0 and Mandrake 8.1-9.1.  On
each of these I tried the example given for /etc/pam.d/system-auth in the URL
above for 8 characters minimum, with at least 1 upper case, 1 digit, and 1 other
"password  required pam_cracklib.so difok=3 dcredit=-1 ucredit=-1 ocredit=-1
lcredit=0 minlen=8"

Note You need to log in before you can comment on or make changes to this bug.