| View previous topic :: View next topic |
| Author |
Message |
Zarhan
l33t
Joined: 27 Feb 2004
Posts: 997
|
 Posted: Thu Nov 04, 2004 11:16 am Post subject: BAD PASSWORD safeguard configuration? |
 |
|
I've tried to study PAM a bit, but the configuration seems quite complex to me... Anyway, how do I turn *OFF* those checks for password "toughness" or where can I configure them?
I couldn't find anything in /etc/security. Also, in /etc/pam.d the config file meanings are a bit unclear because there are no comments...Anyway, when trying to set password:
Changing password for zarhan
(current) UNIX password:
New UNIX password:
BAD PASSWORD: it is too short
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Now, where can I set the threshold for how "easy" passwords can be?
Oh, and before you start lecturing about dealing with it because easy passwords are a bad idea, the idea in this particular case is that the computer can only be accessed locally, has no services pointing towards Internet (not even SSH), and the primary goal for password is to keep the children away from important accounts - so the password might damn well be a dictionary word that's easy to remember and no need to write it down or learn even any mnemonics. |
|
| Back to top |
|
 |
SoTired
Apprentice
Joined: 19 May 2004
Posts: 174
|
| Posted: Fri Nov 05, 2004 12:59 am Post subject: |
|
|
Hmm, Gentoo doesn't have the best setup for this. Ideally it would be an option in /etc/pam.d/passwd, but it's not.
Anyways, the password checking is done by cracklib, a quick look into the PAM ebuild shows that if you use pwdb it pulls in cracklib too (which it claims it needs, I'll take their word on it) - so anyways,
| Code: | echo "sys-libs/pam -pwdb" >> /etc/portage/package.use
emerge pam |
ought to fix the problem.
If you still want the pwdb support you could try editing the PAM ebuild, though it does claim that it'll need cracklib for it. |
|
| Back to top |
|
|
Zarhan
l33t
Joined: 27 Feb 2004
Posts: 997
|
| Posted: Fri Nov 05, 2004 8:51 am Post subject: |
|
|
| SoTired wrote: |
| Code: | echo "sys-libs/pam -pwdb" >> /etc/portage/package.use
emerge pam |
ought to fix the problem.
|
It does not, you see, I already have PAM installed sans pwdb.
[ebuild R ] sys-libs/pam-0.77 +berkdb -debug -pwdb (-selinux) 3,551 kB
There are references to /lib/security/cracklib in /etc/pam.d files, might removing those help? I just don't want to break anything, the configuration file format is not all that clear.. |
|
| Back to top |
|
|
Zarhan
l33t
Joined: 27 Feb 2004
Posts: 997
|
| Posted: Fri Nov 05, 2004 2:42 pm Post subject: |
|
|
So, ok, I'm trying to edit config files in /etc/pam.d.
File passwd has references to file system-auth, which contains:
| Code: |
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
|
Apparently, when "passwd" is executed, it calls PAM which in turn pipes stuff through all these modules...
However, changing "required" from cracklib to "optional" does not help.
If I remove the line with cracklib completely, I get the following:
| Code: |
bash-2.05b$ passwd
Changing password for zarhan
(current) UNIX password:
passwd: Authentication information cannot be recovered
bash-2.05b$
|
Cracklib has some options, but I'm not sure which ones effectively disable it. What am I supposed to do? |
|
| Back to top |
|
|
SoTired
Apprentice
Joined: 19 May 2004
Posts: 174
|
| Posted: Fri Nov 05, 2004 6:43 pm Post subject: |
|
|
Try replacing the entire 'password block' with
| Code: | | password required /lib/security/pam_stack.so service=system-auth |
or if you want to keep the nullok md5 shadow use_authtok, then | Code: | password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_stack.so service=system-auth |
ought to work, I think. |
|
| Back to top |
|
|
Zarhan
l33t
Joined: 27 Feb 2004
Posts: 997
|
| Posted: Fri Nov 05, 2004 8:43 pm Post subject: |
|
|
| SoTired wrote: | | Code: | password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_stack.so service=system-auth |
ought to work, I think. |
Actually, what was wrong was the "use_authtok". So now I have:
| Code: |
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
# Stop whining about bad passwords
#password required /lib/security/pam_cracklib.so retry=3
#password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password sufficient /lib/security/pam_unix.so nullok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
|
It still checks the limits in login.defs, but that's all. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Other Things Gentoo
