Home > Articles > Operating Systems, Server

  • Print
  • + Share This
From the author of

Putting PAM to Work: Expiring Passwords

Now that you understand, at least to some degree, how PAM works, we're going to modify a few PAM service stacks. The first one we're going to modify is the password service, which is responsible simply for updating a user's login password. It is important that all user passwords be well-chosen passwords. They should be longer than one or two characters and should avoid containing any dictionary words at the very least.

Most distributions now include reasonably good password selection enforcement by default—managed by PAM—but we're going to describe one possible /etc/pam.d/passwd file just in case you find this not to be the case on your distribution.

First, we need to verify the presence of the pam_cracklib.so module somewhere on the system. Assuming that your file database is intact, you should be able to discover whether pam_cracklib.so and the needed dictionaries are present simply by entering this:

locate pam_cracklib.so dict | grep crack

If with this command you are able to locate both pam_cracklib.so and a crack terms dictionary file or set of dictionary files, you should, in theory, be able to enable good password enforcement. Just comment out the existing lines in your /etc/pam.d/passwd file with a hash mark (#) and replace them with the ones in Listing 2.

Listing 2 Enforced /etc/pam.d/passwd File

password required pam_cracklib.so type=user retry=3
password required pam_pwdb.so use_authtok

If you have an /etc/pam.conf file instead of the /etc/pam.d/ directory, search through the file for lines beginning with the text passwd. Comment them out and replace them with the lines shown in Listing 3.

Listing 3 Enforced passwd Lines for /etc/pam.conf

passwd password required pam_cracklib.so type=user retry=3
passwd password required pam_pwdb.so use_authtok

Note that if you have MD5 passwords, you might need to append a space and the word md5 to the end of the second line in either case.

These changes will cause the PAM system to demand better passwords of users rather than accept bad passwords without complaint. The theory behind this small passwd stack is as follows:

  • When a user enters his desired password, check the password against a dictionary of common terms. This task is performed by the pam_cracklib.so module and is required in order to proceed in the stack.

  • Ask for a good password up to three times before giving up altogether (the retry=3 argument).

  • If the user enters a good password (the pam_cracklib.so module completes successfully), update the authentication token (the password) using the pam_pwdb.so module (responsible for managing the password database).

This simple change allows a system administrator to demand good password selection from his or her users without having to know what the passwords are or to install third-party software or aftermarket password utilities.

  • + Share This
  • 🔖 Save To Your Account