Solved expired password change not using pam_passwdqc

On my 11.0-RELEASE-p15 system, I've enabled pam_passwdc.so in /etc/pam.d/passwd. (I just uncommented the line, no other settings were changed.) I then created a "testuser" user, and gave it a sufficiently complex password. Logging in as that user and trying to change my password using the passwd command to "12345qaz" yields the following (expected) results:

Code:
Weak password: not enough different characters or classes for this length.
Try again.
I then expired the password with pw usermod -n testuser -p +0
When I then logged into the "testuser" account, it asked for a new password, as it should. But it accepted any password at all (including null!) as a valid new password. (And I wasn't allowed to then change the empty password because passwd wouldn't accept the empty password as the old password.)

I'm assuming I have to make some other change within the PAM configuration files, but I can't figure out what. Any thoughts would be appreciated.
 
On my 11.0-RELEASE-p15 system
It may or may not be related to your issue but FreeBSD 11.0-RELEASE has been End-of-Life since November 2017 and is not supported any more. Please update to 11.1-RELEASE as soon as possible.

Topics about unsupported FreeBSD versions
https://www.freebsd.org/security/unsupported.html

I'm assuming I have to make some other change within the PAM configuration files, but I can't figure out what.
Have you looked at pam_passwdqc(8)?
 
Absolutely. Multiple times. And the module is working as desired for the passwd command. But it's not working (or not being used) when the password is being changed during login due to an expired password.
 
You also need to add it for various other services, like login, sshd and system for example. As you only enabled it on passwd it only works for passwd(1).
 
That helped, and I have it working now, but not quite the way I expected it to. Here are some new observations:

1) I copied the "pam_passwdqc" line from /etc/pam.d/passwd to /etc/pam.d/system. Since there is an "include" line in /etc/pam.d/login for "system", I expected that to be enough. It wasn't. I had to put the "pam_passwdqc" entry into the /etc/pam.d/login file itself. Not quite sure why that was necessary.

2) I have to use the "enforce=everyone" setting for the pam_passwdqc module in both the /etc/pam.d/login and /etc/pam.d/sshd files. If I leave the setting at "enforce=users", I'm allowed to set a non-conforming password during login, although I do get a warning about weak passwords. I'm assuming this is because both login scenarios are running as "root" when the password is being changed, but it seems counter-intuitive.

Every website I looked at explaining the use of pam_passwd(8) mentioned changing the setting in /etc/pam.d/passwd. None of them explained about the need for changes in the other configuration files. And since the commented-out line was found in /etc/pam.d/passwd and not found in any other PAM configuration file, it led me to believe that uncommenting one line was the only change needed to fully enable password complexity. There is no mention regarding this in the module's man-page. Likewise, I couldn't find any information in the FreeBSD Handbook about password complexity, password expiration, and the proper use of pam_passwd(8). I would have expected something mentioned somewhere in Chapter 13. Security.

I really appreciate your help, and hopefully others will find this thread if they discover the same behavior.
 
Addendum: Tried again with #1 above and it worked as expected. I don't know what I did wrong the first time. I only had to add the pam_passwdqc entry to /etc/pam.d/system to get complexity checking during expired password changes.
 
I am facing exactly the same problem. Your #1 does not work specifically for SSH login. I resolved it by copying tthe "pam_passwdqc" line from /etc/pam.d/passwd to /etc/pam.d/sshd and used "enforce=everyone". For SSH login, it works without pam_passwdqc line in /etc/pam.d/system at all. My only problem is why "enforce=users" is not working for SSH login when even root is set not allowed to login through SSH. Why passwdpc requires setting "enforce=everyone" then?
 
Back
Top