Description of problem: At our company we require the password to be 8 characters, and contain three of the following (a lower case character, a upper case character, a digit, or a special character). The only way I have been able to implement this on Red Hat Linux is to set the following line in /etc/pam.d/system-auth. password required /lib/security/pam_cracklib.so retry=3 minlen=11 lcredit=1 ucredit=1 dcredit=1 ocredit=1 This works somewhat, but users can still enter 11 lower case characters and it works. I found some documentation that says -1 will require at least one, but that does not seem to work in Red Hat. Here is the link to the documentation I found: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3 Another problem with pam_cracklib.so in Red Hat is the Red Hat utilities over write any changes that were manually entered. So if someone runs authconfig after the above changes were entered, the default settings are put back and any changes are deleted. Version-Release number of selected component (if applicable): pam-0.75-46.7.3 How reproducible: 1. configure /etc/pam.d/system-auth 2. attempt to change a password with different combinations to see if the expected results happen 3. run authconfig, after running check the settings in /etc/pam.d/system-auth, they should now be removed Actual results: I can find no configuration were I can setup the min number of characters is 8 and require the user to enter special characters. authconfig always removes any changes. Expected results: I think authconfig needs to either contain a way to set these settings, or it needs to not erase changes which have been entered to /etc/pam.d/system-auth. I would also like some kind of way to setup password requirements that users cannot get around by entering a large number of characters. Additional info:
I also have found this same problem in RedHat 6.2-9.0 and Mandrake 8.1-9.1. On each of these I tried the example given for /etc/pam.d/system-auth in the URL above for 8 characters minimum, with at least 1 upper case, 1 digit, and 1 other character: "password required pam_cracklib.so difok=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8"