You can use PAM (Pluggable Authentication Modules) to configure a
simple password strength checking and password changing policies for
all users. /etc/pam.d/system-auth provides important settings for
system authentication.
pam_cracklib - It is a simple password strength checking module for
PAM. In addition to checking regular passwords, it offers support for
passphrases and can provide randomly generated ones. pam_passwdqc -
This module provides functionality for only one PAM management group:
password changing. In terms of the module-type parameter, this is the
"password" feature. pam_chauthtok() - Service function may ask the
user for a new password, and verify that it meets certain minimum
standards. If the chosen password is unsatisfactory, the service
function returns PAM_AUTHTOK_ERR.
Setup Strength Checking For Passwords
The default pam_cracklib PAM module provides strength-checking for
passwords. It rejects the password if any one of the following
conditions found:
Palindrome - Is the new password a palindrome of the old one? Case
Change Only - Is the new password the the old one with only a change
of case? Similar - Is the new password too much like the old one?
Simple - Is the new password too small? Rotated - Is the new password
a rotated version of the old password? Already used - Was the password
used in the past? Previously used passwords are to be found in
/etc/security/opasswd.
How To Use pam_passwdqc - Password Quality-control PAM Module
Edit the file /etc/pam.d/system-auth:
cp /etc/pam.d/system-auth /root/backup/system-auth
vi /etc/pam.d/system-auth
Find the line:
password requisite pam_cracklib.so try_first_pass retry=3 and
replace it with the following line:
password requisite pam_passwdqc.so min=disabled,disabled,12,8,7
retry=3 Where,
min=N0,N1,N2,N3,N4 - min=disabled,disabled,12,8,7 is the password
policy. Each filed (N0,N1..N4) is used for different purpose. The
keyword disabled can be used to disallow passwords of a given kind
regardless of their length. Each subsequent number is required to be
no larger than the preceding one. N0 is used for passwords consisting
of characters from one character class only. The character classes are
- digits, lower-case letters, upper-case letters, and other characters. N1 is used for passwords consisting of characters from two
character classes which do not meet the requirements for a passphrase.
N2 is used for passphrases. A passphrase must consist of sufficient
words (see the passphrase option below). N3 and N4 are used for
passwords consisting of characters from three and four character
classes, respectively. When calculating the number of character
classes, upper-case letters used as the first character and digits
used as the last character of a password are not counted. In addition
to being sufficiently long, passwords are required to contain enough
different characters for the character classes and the minimum length
they have been checked against. retry=3 - The number of times the
module will ask for a new password if the user fails to provide a
sufficiently strong password and enter it twice the first time. See
the help file /usr/share/doc/pam_passwdqc-1.0.2/README and the man
page pam_passwdqc for detailed configuration options.
Best Answer
Checking libpwquality code on github it looks like error message you get comes from this library. Probably called from PAM module, so you should start checking what you have in
/etc/pam.d/passwd
by default for password it only includes/etc/pam.d/system-auth
. I think you were quite close, however, setting module as optional didn't work for you. I'd suggest commenting it out for test and settinggecoscheck=N
either in pam or/etc/security/pwquality.conf
Simply commenting out the line in
/etc/pam.d/system-auth
may not work, however, you can try to update the file password section to something like this (only password section matters):password sufficient pam_unix.so sha512 password required pam_deny.so
After that simply executepasswd user
at try your favourite password. For me setting exectly the same user name and password worked, which is obviously not recommended from the system security perspective.