trying to get RH7.2 to allow dict based passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: trying to get RH7.2 to allow dict based passwords

Aside from the security concerns about doing this, which I agree with, but
still need to have this functionality.

Right now, if a user attempts to change a password that is based on a
dictionary word, it complains, and doesn't allow it.

I want to change it to compain, ask again, and allow it.

Original system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shado
w
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

First I changed the Pam Module for passwd to use system-auth2 instead of
   system-auth, so any changes to system-auth will only affect passwd.

If I eliminate the call to pam_cracklib.so, and remove use_authtok from pam_unix.so
  I can enter passwords based on dictionary words, AND get an exit status of
  0. BUT this doesn't warn the user that the password is based on
  a dictionary word.

Next Try:

Changed the pam_cracklib.so from required to optional, and retry=3 to retry=1
switched in try_first_pass in place of use_authtok.

now, it warns the password is based on a dictionary word, asks a second
time, takes it, updates all files, but the end result gives the following error

Changing password for
(current) UNIX password:
New password:
BAD PASSWORD: it is based on a dictionary word
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error

The only problem here is that although everything "appears" to have been
updated, passwd exits with a status of 1, not 0, so my script which
runs the passwd routine, thinks the password changing failed, and
proceeds to logoff the user (which is what I want).

What do I need to do to get pam_cracklib.so to warn that the password is
weak, and Allow unix.so to update the password anyway, and NOT exit
with the error show above?

LIke I said, I understand the security implications here, but....

Thanks in advance.
George

George Gallen
Senior Programmer/Analyst
Accounting/Data Division
ggallen@slackinc.com
ph:856.848.1000 Ext 220

SLACK Incorporated - An innovative information, education and management company
http://www.slackinc.com

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux