pam_passwdqc.so bug?

[sdf]

Hello,

/etc/pam.d/passwd

password        requisite       pam_passwdqc.so         min=7,6,disabled,5,4 enforce=users

Why does the system prompts this configuration is wrong? I can't see where there is an error.

Also the manual saying 0 means to disable the passphrase, but why use the 0, the system prompts an error?

 

[ShelLuser]

Check pam.conf(5)?

I don't see any mention in there that you can use options such as min. Leading up to: where does min come from?

(edit) Gotcha: pam_passwdqc(8). So what error do you yet? And how are you using this setup? What else did you define in /etc/pam.d/passwd?

My assumption is that you misconfigured something else which is related to all this.

 

[sdf]

That's all, the other is default. Users cannot change password.

 

[sdf]

password        requisite       pam_passwdqc.so         min=7,6,disabled,5,4 enforce=users
password   required   pam_unix.so       no_warn try_first_pass n

Then
$ passwd

Changing local password for user1
System configuration error. Please contact your administrator.
passwd: pam_chauthtok(): general failure

 

[_martin]

sdf: When you look into pam_passwdqc(8) you'll see:

min=N0,N1,N2,N3,N4
             (min=disabled,24,12,8,7) The minimum allowed password lengths for
             different kinds of passwords/passphrases.  The keyword disabled
             can be used to disallow passwords of a given kind regardless of
             their length.  Each subsequent number is required to be no larger
             than the preceding one.

Pay attention to the last sentence. Specifying disabled means INT_MAX.
If you're up to it here's where options are parsed.

As you are specifying disabled in the middle of the min options parsing loop stops but still has arguments. That's the general failure error you see.

 

[sdf]

sdf: Pay attention to the last sentence. Specifying disabled means INT_MAX.

Thank you very much. In other words, once an item is set to "disabled", all previous items must be set to "disabled". Is it right?

 

[_martin]

In other words, once an item is set to disable, all previous items must be set to disable. Is it right

The other way around actually, once you used the disabled the only thing you can use is disabled or nothing.

 

[sdf]

I think the min=N0,N1,N2,N3,N4 option logic is very confusing.
Since the passphrase is usually longer than the password, the value of N2 should be larger, resulting in a larger value of N0 and N1 (at least not less than N2).

Again, for example:

min=1,1,1,1,1

The system considers this setting to be ok.
However, according to common sense, N1 should be at least 2, N3 should be at least 3, and N4 should be at least 4.

As

"Each subsequent number is required to be no larger than the preceding one"

, so It should at least be like this

min=4,4,4,4,4

And I don't understand why a password of at least two characters is required when set to

min=1,1,1,1,1

 

[_martin]

The defaults are set here. Not sure what is the reasoning of that constraint, I don't use this module.