1) pam_passwdqc can be found here: http://www.openwall.com/passwdqc/
I downloaded and installed the module - things went cleanly and the module was installed in /lib/security/pam_passwdqc.so
2) I tried modifying /etc/pam.d/system-auth to look like this
(I know there is a warning about file autogeneration, but frankly, the /etc/pam.d/passwd file seems to direct all real action to this file - should I just modify the /etc/pam.d/passwd file instead??)
OLD:
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
NEW:
#password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password required /lib/security/$ISA/pam_passwdqc.so
password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass md5 shadow
password required /lib/security/$ISA/pam_deny.so
Please ignore possible line-wrap on "md5 shadow" lines above.
The above fails with:
[testuser@sloth testuser]$ passwd Changing password for user testuser. passwd: Authentication token manipulation error
Here is my goal. Maybe I can reach it another way entirely:
I'm trying to see if I can't make a Redhat system automatically compliant with a new Army regulation (AR25-2) which provides specific password guidance, including the number of required characters from each character set (lower case, upper-case, numbers, punctuation), password length, etc. The regulation can be found here (see section 4-12: Password control):
XML: http://docs.usapa.belvoir.army.mil/jw2/xmldemo/r25_2/cover.asp PDF: http://www.usapa.army.mil/pdffiles/r25_2.pdf
In a nutshell, the relevant parts are:
>e. Generate passwords as follows —
>
>(1) The minimum requirement is a 10-character case-sensitive password. Passwords or phrases longer than 10 characters are recommended when supported by the IS. Password expiration will be not more than 150 days.
>
>(2) The password will be a mix of uppercase letters, lowercase letters, numbers, and special characters, including at least two of each of the four types of characters (for example, x$TloTBn2!) and can be user generated.
>
>(3) Enforce password policy through implementation or enhancement of native security mechanisms.
>
>(4) Passwords will not include such references as social security numbers (SSNs), birthdays, USERIDs, names, slang, military acronyms, call signs, dictionary words, consecutive or repetitive characters, system identification, or names; neither will they be easy to guess (for example, mypassword, abcde12345).
>
>(5) Password history configurations will prevent reutilization of the last 10 passwords when technically possible.
Any help you can offer would be appreciated.
Finally, would Redhat consider adding this module? I think a few distros have done this. Having an out-of-box AR25-2 compliant system would be pretty great from the Army's point of view!
Thanks! Bill
-- William Brower MIT Lincoln Laboratory Reagan Test Site, Kwajalein, Marshall Islands p: 805.355.1310 f: 805.355.1701
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
