Cracklib pluggable password strength-checker Synopsis

Module Name: pam_cracklib Author: Cristian Gafton <gafton@redhat.com> Maintainer: Author. Management groups provided: password Cryptographically sensitive: Security rating: Clean code base: System dependencies: Requires the system library /usr/lib/cracklib_dict. Network aware: Overview of module

This module can be plugged into the This module works in the following manner: it first calls the Cracklib routine to check the strength of the password; if crack likes the password, the module does an additional set of strength checks. These checks are:

This module with no arguments will work well for standard unix password encryption. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non-trivial constraint. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change... In addition, the default action is to allow passwords as small as 5 characters in length. For a md5 systems it can be a good idea to increase the required minimum size of a password. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password. Password component

Recognized arguments: Description: The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.

The default action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.

The default action may be modified in a number of ways using the arguments recognized by the module: other, upper, lower and Cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should either not use this module or recompile the crack library and then recompile this module. Examples/suggested usage:

For an example of the use of this module, we show how it may be stacked with the password component of # # These lines stack two password type modules. In this example the # user is given 3 opportunities to enter a strong password. The # "use_authtok" argument ensures that the pam_pwdb module does not # prompt for a password, but instead uses the one provided by # pam_cracklib. # passwd password required pam_cracklib.so retry=3 passwd password required pam_pwdb.so use_authtok

Another example (in the /etc/pam.d/passwd format) is for the case that you want to use md5 password encryption: #%PAM-1.0 # # These lines allow a md5 systems to support passwords of at least 14 # bytes with extra credit of 2 for digits and 2 for others the new # password must have at least three bytes that are not present in the # old password # password required pam_cracklib.so \ difok=3 minlen=15 dcredit= 2 ocredit=2 password required pam_pwdb.so use_authtok nullok md5