Differences

This shows you the differences between two versions of the page.

--- pam:pam_passwdqc [2016/11/27 19:14] – peter
+++ pam:pam_passwdqc [2019/12/01 12:17] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== PAM - pam_passwdqc ======
-**libpam_ passwdqc** is a PAM module that tests passwords to make sure they are not too weak during password change.  It adds additional password entropy assistance to the standard security system.
-===== Create the PAM configuration file for passwdqc =====
-Create a PAM configuration file for passwdqc by issuing the following command:
-<code bash>
-sudo vi /usr/share/pam-configs/passwdqc
-</code>
-and populate it with the following:
-<file bash /usr/share/pam-configs/passwdqc>
-Name: passwdqc password strength checking
-Default: yes
-Priority: 1024
-Conflicts: cracklib [maybe?]
-Password-Type: Primary
-Password:
-  requisite pam_passwdqc.so min=disabled,10,8,8,8 similar=deny enforce=users ask_oldauthtok check_oldauthtok
-</file>
-Now issue the command:
-<code bash>
-sudo pam-auth-update
-</code>
-and ensure that the passwdqc password strength checking is enabled.
-<WRAP warning>
-**WARNING**: Enabling the PAM passwdqc module will disable the PAM **cracklib** module.
-</WRAP>
-===== Set the password strength policy =====
-Issue the following command:
-<code bash>
-sudo vi /etc/pam.d/common-password
-</code>
-and populate it with the following:
-<file bash /etc/pam.d/common-password>
-password   requisite pam_passwdqc.so min=disabled,10,8,8,8 max=40 similar=deny enforce=users ask_oldauthtok check_oldauthtok
-password   [success=1 default=ignore]   pam_unix.so obscure use_authtok try_first_pass sha512
-# here's the fallback if no module succeeds
-password   requisite   pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password   required   pam_permit.so
-</file>
-By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks.  These values are controlled in the file /etc/pam.d/common-password.
-The **pam_passwdqc** manpage provides a lot of information, but the above essentially disallows passwords from any single character class, enforces a minimum length of 10 characters for a password from any two character classes, a minimum length of 8 characters for a passphrase, a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes. The four character classes are made up of, digits, lower-case letters, upper-case letters, and other characters (such as '!' and '_') respectively. The above also enforces no passwords longer than 40 characters. The other options are clearly outlined in the pam_passwdqc man pages.
-Each option can be customized to suit your environment. The above is actually less strict than the recommended default setting of "min=disabled,24,12,8,7" which can create some extremely difficult-to-crack passwords.
-pam_passwdqc has no strange requirements, so even if your distribution does not provide it in packaged form, installing and compiling from source should cause no problems whatsoever.
-The hashed passwords use a randomly generated salt.