Thanks to two other SE posts (one on SO, one on SF), the answer lies in using advanced control
syntax. The
auth required pam_unix.so try_first_pass nullok
# and sometime later
auth optional pam_ssh.so use_first_pass
should therefore become
auth [success=1 new_authtok_reqd=1 ignore=ignore default=ignore] pam_unix.so try_first_pass nullok
auth required pam_ssh.so use_first_pass
Now it is imperative that the pam_ssh
line exactly precedes the pam_unix
one, since success=N
means to skip N
following module(s).
Also, don't forget the session pam_ssh.so
line while you're at it!
In my first attempt, I used
auth [success=1 default=ignore] pam_ssh.so try_first_pass
auth required pam_unix.so use_first_pass nullok
instead, but this method locks out all users without SSH keys! Turns out that default=ignore
isn't sufficient, auth_err=ignore
has to be added since that is apparently not considered part of default
. Also, this attempt means there'll either be a "password" or "SSH passphrase" prompt depending on whether the user has an SSH key!
Note that in Arch Linux, the pam_unix
line used by login
lies in the include
chain
login -> system-local-login -> system-login -> system-auth
and that system-login
has some other required
before including system-auth
, so you cannot simply put auth [success=1 default=ignore] pam_ssh.so try_first_pass
in before login
's auth include system-local-login
- you'd skip the wrong required
and thanks to the pam_unix.so use_first_pass
(instead of try_first_pass
) you could still only login with your login password! On the other hand, by modifying system-auth
, you're also allowing other services such as sshd
to use your SSH key as authentication option to the login password. If you truly want only your login
to use this, you have to pretty much break the include
chain and manually copy all auth
s to login
.
I found out my system (as most modern Linux) use PAM
(Pluggable Authentication Modules) and pam_cracklib
module within it. pam_cracklib
enforces minimum length of 6 symbols regardless of parameters, so solution is to turn it off.
One link I've read discussed editing password-ac
and system-ac
files in /etc/pam.d
, the contents of both files were same and no explanation was given of their respective roles.
Upon study of PAM
docs (The Linux-PAM System Administrators' Guide | linux-pam.org), I learned PAM
configs for LINUX services are in that /etc/pam.d
directory in separate files. I saw passwd
file and it in found only system-ac
file mentioned (added by substack
keyword), so on my system I needed to edit only system-ac
.
Making pam_cracklib
optional
made no difference (I guess that's because pam_cracklib
did not pass entered and rejected pasword to next module in stack - pam_unix
) and commenting line with pam_cracklib
lead to errors during passwd
run. I noted that next line with ordinary pam_unix
had option use_authtok
(docs: enforce the module to set the new password to the one provided by a previously stacked module). After I deleted that option and commented line with pam_cracklib
I now able to set short passwords with passwd
.
Best Answer
You can specify per-user or per-group policies through the
pam_succeed_if
module. Use the “goto” action (i.e. an integer instead ofok
,ignore
, etc.) to skip over apassword
setting for some users.(Warning: untested and I'm not fluent in PAM.)