Enforcing password quality with PAM

Hello,

I am trying to use PAM to enforce password quality and run into a strange issue... so I have a couple questions...

Okay, I am wanting to enforce password quality for all users all of the time. With that, I have started out modifying /etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/sshd, and /etc/pam.d/system. I added the following configuration line to each file...

Bash:
password requisite pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 max=40 similar=deny retry=3 random=0 ask_oldauthtok enforce=everyone

I then create a user using the following commands in a .sh script like this...

Bash:
yesterday=$(date -v -'1d' +'%d-%b-%y')
echo welcome1 | pw useradd -n support -c "Support User" -G wheel -s /bin/sh -m -h 0 -p ${yesterday}

I set it up like this so that the 1st time the user logs in, the system should force a password change using the rules that are setup in PAM... Well that is what I thought would happen... but it does not quite work as I thought...

When the user logs in, I get...

Bash:
login: support
Password: (I enter welcome1)

I immediately get

Bash:
New Password:

I am not quite sure why, so I enter my new password...

Bash:
New Password: (I enter 1234AbCd!)

And then I get...

Bash:
You can now choose the new password.
A valid password should be a mix of upper and lower case letters,
digits and other characters.  You can use a 2147483647 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes.  Characters that form a common pattern are discarded by
the check.
Enter new password:

So, this brings me to my questions...
  1. Why am I being asked this again since I just entered a new password? This is odd to me... I have not found a solution for this and thought I would ask here...
  2. 2147483647 character long password... really? I disabled all the checks except for N4... why would I get this?
Thanks,
 
Last edited by a moderator:
The
digits and other characters. You can use a 2147483647 character long
is a bug. You should log this.

It's caused by not having a NUMBER in min position N3 that's valid.

When it encounters the word "disabled" it just converts to this (MAX_INT).

The module pam_passwdqc.c is checking for "disabled" and putting this insane value in. I guess the question is what is the "default" character length of a password that PAM would like to see and can be used as a default instead of 2147483647? That's a question for the developers.

Order is important with /etc/pam.d/passwd. Ensure your rule above is before the pam_unix.so

 
Order is important with /etc/pam.d/passwd. Ensure your rule above is before the pam_unix.so

I was able to modify /etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/sshd, and /etc/pam.d/system as you suggested and put the extra configuration line in the correct order. Now, when the support user logs in, the system asks for the user for a password change using the newly specified rules... This is good...
 
Back
Top