Hello,
I am trying to use PAM to enforce password quality and run into a strange issue... so I have a couple questions...
Okay, I am wanting to enforce password quality for all users all of the time. With that, I have started out modifying /etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/sshd, and /etc/pam.d/system. I added the following configuration line to each file...
I then create a user using the following commands in a .sh script like this...
I set it up like this so that the 1st time the user logs in, the system should force a password change using the rules that are setup in PAM... Well that is what I thought would happen... but it does not quite work as I thought...
When the user logs in, I get...
I immediately get
I am not quite sure why, so I enter my new password...
And then I get...
So, this brings me to my questions...
I am trying to use PAM to enforce password quality and run into a strange issue... so I have a couple questions...
Okay, I am wanting to enforce password quality for all users all of the time. With that, I have started out modifying /etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/sshd, and /etc/pam.d/system. I added the following configuration line to each file...
Bash:
password requisite pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 max=40 similar=deny retry=3 random=0 ask_oldauthtok enforce=everyone
I then create a user using the following commands in a .sh script like this...
Bash:
yesterday=$(date -v -'1d' +'%d-%b-%y')
echo welcome1 | pw useradd -n support -c "Support User" -G wheel -s /bin/sh -m -h 0 -p ${yesterday}
I set it up like this so that the 1st time the user logs in, the system should force a password change using the rules that are setup in PAM... Well that is what I thought would happen... but it does not quite work as I thought...
When the user logs in, I get...
Bash:
login: support
Password: (I enter welcome1)
I immediately get
Bash:
New Password:
I am not quite sure why, so I enter my new password...
Bash:
New Password: (I enter 1234AbCd!)
And then I get...
Bash:
You can now choose the new password.
A valid password should be a mix of upper and lower case letters,
digits and other characters. You can use a 2147483647 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes. Characters that form a common pattern are discarded by
the check.
Enter new password:
So, this brings me to my questions...
- Why am I being asked this again since I just entered a new password? This is odd to me... I have not found a solution for this and thought I would ask here...
- 2147483647 character long password... really? I disabled all the checks except for N4... why would I get this?
Last edited by a moderator: