Recipe 4.2 Enforcing Password Strength with PAM

4.2.1 Problem

You want your users to employ strong passwords.

4.2.2 Solution

Use the CrackLib [Recipe 9.2] module of PAM, pam_cracklib, to test and enforce password strength requirements automatically. In some Linux distributions such as Red Hat 8.0, this feature is enabled by default. passwd and other PAM-mediated programs will complain if a new password is too short, too simple, too closely related to the previous password, etc.

You can adjust password strength and other variables by editing the parameters to the pam_cracklib module in /etc/pam.d/system-auth. For example, to increase the number of consecutive times a user can enter an incorrect password, change the retry parameter from its default of 3:

password    required      /lib/security/   retry=3

4.2.3 Discussion

PAM allows recursion via the pam_stack module?that is, one PAM module can invoke another. If you examine the contents of /etc/pam.d, you will find quite a number of modules that recursively depend on system-auth, for example. This lets you define a single, systemwide authentication policy that propagates to other services.

Red Hat 8.0 has a sysadmin utility, authconfig , with a simple GUI for setting system authentication methods and policies: how authentication is performed (local passwords, Kerberos, LDAP), whether caching is done, etc. authconfig does its work by writing /etc/pam.d/system-auth. Unfortunately, it does not preserve any customizations you might make to this file. So, if you make custom edits as described above, beware using authconfig?it will erase them!

4.2.4 See Also

pam(8), authconfig(8), pam_stack(8). See /usr/share/doc/pam-*/txts/README.pam_cracklib for a list of parameters to tweak.

    Chapter 9. Testing and Monitoring