using pam_pwcheck and pam_cracklib at the same time
This document (7004596) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 10 Service Pack 2
Situation
You need to setup a password policy that covers the following
functions:
- check password against dictionary
- password requires to have special characters (uppercase/lowercase, numbers or special characters)
- remember some of the last passwords
- minimal password length
No single pam module can handle all of this tasks altogether. When you try to combine pam_cracklib with pam_pwcheck you run into several errors like:
- you get error that the password is already used even if it is a brand new password
- you prior get asked about the new password before you will be asked for the old password
- the localisation does not work properly
- when you mistyped the password the first time you will be prompted to enter the password again but later neverttheless the password change fails
- check password against dictionary
- password requires to have special characters (uppercase/lowercase, numbers or special characters)
- remember some of the last passwords
- minimal password length
No single pam module can handle all of this tasks altogether. When you try to combine pam_cracklib with pam_pwcheck you run into several errors like:
- you get error that the password is already used even if it is a brand new password
- you prior get asked about the new password before you will be asked for the old password
- the localisation does not work properly
- when you mistyped the password the first time you will be prompted to enter the password again but later neverttheless the password change fails
Resolution
To solve the issue you need to know:
- pam_cracklib uses /etc/security/opasswd only to read previous used password, it will not update this file
- pam_cracklib asks for the new password first and later for the old password
- pam_pwcheck will only use and update /etc/security/opasswd if the remember option is given
So to have pam_pwcheck working together with pam_cracklib create following pam chain in /etc/pam.d/common-password
- pam_cracklib uses /etc/security/opasswd only to read previous used password, it will not update this file
- pam_cracklib asks for the new password first and later for the old password
- pam_pwcheck will only use and update /etc/security/opasswd if the remember option is given
So to have pam_pwcheck working together with pam_cracklib create following pam chain in /etc/pam.d/common-password
password required pam_pwcheck.so password required pam_cracklib.so use_authtok difok=3 retry=10 minlen=8 lcredit=0 ucredit=0 dcredit=-1 ocredit=-1 password required pam_pwcheck.so remember=5 use_authtok use_first_pass password required pam_unix2.so nullok use_authtok use_first_passAdapt the options to pam_cracklib and the remember= option from pam_pwcheck as you need. Do not remove the use_authok or use_first_pass options. More informations on the options for pam_cracklib can be found in the man-page (man pam_cracklib)
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7004596
- Creation Date: 05-Oct-2009
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
