A PAM module for checking password strength. It's often installed by default; for example on a RedHat box here /etc/pam.d/system-auth has
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
The retry parameter sets how many chances you get to supply an acceptable password, and setting type to blank prevents it from being annoyingly repetitive with the word UNIX. Without that set to blank, you'd get:
(current) UNIX password: New UNIX password:
(current) UNIX password: New password:
You could also set it to another string:
(current) UNIX password: New (make_it_hard!)) password:
though I doubt that would help much. If you do want users to choose harder passwords, there are other arguments that will force that. One of the most obvious is password length, which gets complicated by "credits" for using digits, mixing upper and lower case, and using "other" characters like punctuation.
If you add "debug" to the arguments, password changes (and failures to change) will be logged to /var/log/messages:
Mar 19 09:13:22 redhat passwd(pam_unix): authentication failure; logname=johnm uid=502 euid=0 tty= ruser= rhost= user=johnm Mar 19 09:14:31 redhat PAM-Cracklib: new passwd fails strength check: is too similar to the old one Mar 19 09:15:02 redhat passwd(pam_unix): password changed for johnm Mar 19 09:15:19 redhat PAM-Cracklib: new passwd fails strength check: is rotated Mar 19 09:15:51 redhat PAM-Cracklib: Password mistyped Mar 19 09:22:23 redhat passwd(pam_unix): password changed for johnm
Documentation for this and other modules is often not in man pages, but you'll probably find it in /usr/share/doc/pam-0.75/txts/ and it's online at https://www.kernel.org/pub/linux/libs/pam/, and you also should have html docs in /usr/share/doc/pam-0.75/html.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2009-11-07 Tony Lawrence
Simplicity is a great virtue but it requires hard work to achieve it and education to appreciate it. And to make matters worse: complexity sells better. ((Edsger W. Dijkstra)