Oct 30, 2009

Password policies on debian linux: dcredit? pam_cracklib.so?

Ok, nearly everybody knows pam:
PAM = Pluggable Authentication Modules
The linux-pam homepage states "Basically, it is a flexible mechanism for authenticating users." But is there an easy way to enforce password policies within this pam mechanism?

It is not really difficult, if you know where to look:
Open /etc/pam.d/common-password (debian) and read
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
The two next two lines are:
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5
and pam_cracklib.so can be installed via
apt-get install libpam-cracklib
At the first line add
dcredit=-4 lcredit=-2 ucredit=-1
This translates to dcredit=-4 (4 digits required), lcredit=-2 (2 letter lowercase required), ucredit=-1 (1 letter uppercase required). For a full list of parameters look here.

No comments:

Post a Comment