OpenPAM and cracklib

G

gallo

Hello guys,

My team and I had a nice idea to improve the Linux-PAM's pam_cracklib with a new algorithm for similarity. However we are due to decide whether we will stick to Linux-PAM or go to BSD's OpenPAM.

We are especially interested in the way a password is checked for similarity with the previous when user issues a passwd.

Any thoughts?

How is this accomplished with OpenPAM, as apparently there is no pam_cracklib.so module?

Best,
Roberto
 
I think you're looking for pam_passwdqc(9).

It looks like it already has the functionality you're looking for:
Code: 
     similar=permit|deny
             (similar=deny) Whether a new password is allowed to be similar to
             the old one.  The passwords are considered to be similar when
             there is a sufficiently long common substring and the new pass-
             word with the substring removed would be weak.
 
Just out of curiosity: how does the PAM module determine what the substring of the previous password was? If I remember correctly the passwords aren't typically stored in plain-text. One would thus either have to reverse the hashing, or store a plain-text copy. Or does it just compare to the latest one, which the user has entered?
 
Comparison

Thank you guys!

mix_room said:
Just out of curiosity: how does the PAM module determine what the substring of the previous password was? If I remember correctly the passwords aren't typically stored in plain-text. One would thus either have to reverse the hashing, or store a plain-text copy. Or does it just compare to the latest one, which the user has entered?
Click to expand...

When you change your password you are required to type the current AND the new password, so it is easy to make the comparison. Of course, storing the old password in plain-text form would be a major security issue.

Best,
 
You must log in or register to reply here.
Back
Top