I've updated login.defs and password-auth to include a minimum length on passwords (12), but the minlen is not being enforced when I attempt to change a user's password with passwd
.
None of the password case policies are being enforced. I can enter 'aaaa1234' as a valid but weak and too short password. I am also able to enter dictionary words, such as 'password'. The same password can be reused.
In summary, none of the settings in /etc/pam.d/password-auth
appear to be recognized.
The password I'm entering for the following command is blue1234
# passwd testy
Changing password for user testy.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
Here's what was logged in /var/log/secure
from the operation above. This is the only line for the event.
Apr 1 11:41:37 myserver passwd: pam_unix(passwd:chauthtok): password changed for testy
config files
# login.defs
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN 12
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 30
PASS_MIN_DAYS 1
PASS_MIN_LEN 12
PASS_WARN_AGE 14
.
# /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 minlen=12
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Why is the pam password policy not being enforced?
PS: This is a minimal installation.
Best Answer
You have to check your
/etc/pam.d/passwd
file if it includes/etc/pam.d/password-auth
or/etc/pam.d/system-auth
and to make required changed in file which is included.In short:
An application that uses PAM can have a configuration file bearing its name in
/etc/pam.d/
. If a file exists, the rules in that file are processed whenever the application calls a PAM authentication function.Files like
/etc/pam.d/system-auth
and to a larger extent/etc/pam.d/password-auth
are somewhat distribution-specific. Since no applications identify themselves as "system-auth" or "password-auth", these files are actually never called on their own. Instead, the contents of these files are pulled into other PAM configuration files with the "include" directive. That way, common settings for multiple applications can be stored in a single file.