The pamcracklib Module

The pam_cracklib module provides strength checking of passwords before they are accepted. This module prompts the user for a password and checks its strength against a system dictionary and a set of rules for identifying potentially vulnerable password choices. By default, pam_cracklib prompts for a single password, checks its strength, and then, if it is considered strong, prompts for the password a second time to verify that it was typed correctly the first time.

In addition to the checks to which the cracklib library submits a potential password, the pam_cracklib module also checks that the password is not:

■ A palindrome: Is the new password a palindrome of the old one?

■ A simple case change: Is the new password simply the old one with only a change of case?

■ Too similar: Is the new password too much like the old one? This is primarily controlled by one argument, difok, which defines the minimum number of characters by which the new password must differ from the old; this defaults to 10 characters or 1/2 the size of the new password, whichever is smaller. To avoid the lockup associated with trying to change a long and complicated password, difignore is available. This argument can be used to specify the minimum length that a new password needs to be before the difok value is ignored. The default value for difignore is 23.

■ Too simple: Is the new password too small? This is controlled by five arguments: minlen, dcredit, ucredit, lcredit, and ocredit. (See the description of these arguments later in this section.)

■ Rotated: Is the new password a rotated version of the old password?

■ A password that has already been used: Was the password used once already by this user? Note that Linux stores previously used passwords in the file /etc/security/ opasswd.

If all of these checks succeed, the password is passed on to subsequent modules to be installed as the new authentication token.

A typical pam_cracklib entry in the /etc/pam.d/system-auth file has the following syntax:

password control_flag pam_cracklib.so arguments

The arguments to be passed to the pam_cracklib module can be one or more of the following:

■ debug: This argument makes the pam_cracklib module write debug information to syslog. Note that even with this option set, pam_cracklib does not write password information to the log file.

■ type=XXX: This argument replaces the word UNIX with the value defined for XXX in the following prompts: "New UNIX password:" and "Retype UNIX password:".

■ retry=N: This argument is the default number of times that this module will request a new password (for strength checking) from the user. The default is 1. If after N times the user does not enter a password that passes the strength test, the module terminates. Using this argument can be increase the default N times.

■ difok=N: This argument changes the default of 10 for the number of characters in the new password that must not be present in the old password. In addition, if half of the characters in the new password are different, then the new password will be accepted anyway.

■ min1en=N: This argument sets the minimum acceptable size for the new password plus one. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower, and digit). The default for this parameter is 9, which is good for an old-style Unix password where all characters are of the same type of character. But a default of 9 may be too low to exploit the added security of an MD5 system. Note that there is a pair of length limits in the cracklib library itself, a "way-too-short" limit of 4, which is hard-coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as five characters, either don't use this module or recompile the cracklib library and then recompile this module.

■ dcredit=N: This argument is the maximum credit for having digits in the new password. If you have less than or N digits, each digit counts +1 towards meeting the current minlen value. The default for dcredit is 1, which is the recommended value for a minlen value of less than 10.

■ ucredit=N: This argument is the maximum credit for having uppercase letters in the new password. If you have less than or N uppercase letters, each letter counts +1 towards meeting the current minlen value. The default for ucredit is 1, which is the recommended value for a minlen value of less than 10.

■ 1credit=N: This argument is the maximum credit for having lowercase letters in the new password. If you have less than or N lowercase letters, each letter counts +1 towards meeting the current minlen value. The default for Icredit is 1, which is the recommended value for a minlen value of less than 10.

■ ocredit=N: This argument is the maximum credit for having non-alphanumeric characters in the new password. If you have less than or N other characters, each character counts +1 towards meeting the current minlen value. The default for ocredit is 1, which is the recommended value for a minlen value of less than 10.

■ use_authtok: This argument is used to force the pam_crack1ib module to not prompt the user for a new password but to use the one provided by the previously stacked password module.

Let's see some examples of entries in the file /etc/pam.d/system-auth that illustrate the use of the pam_crack1ib module. The following line takes all the defaults for pam_ cracklib, but allows the user three attempts at providing a strong password:

password required pam_crack1ib.so retry=3

The next example defines passwords to include at least 14 bytes, with extra credit of two bytes for digits and two bytes for others. The new password must include at least three bytes that are not present in the old password:

password required pam_crack1ib.so min1en=15 dcredit=2 ocredit=2 difok=3

Was this article helpful?