Table of Contents

Ubuntu - PAM - pam_passwdqc

libpam_ passwdqc is a PAM module that tests passwords to make sure they are not too weak during password change.

It adds additional password entropy assistance to the standard security system.

The cracklib module doesn't enforce password strength checking on the “root”.

To enforce password checking for all accounts including the root user the passwdqc PAM module can be used instead of cracklib module.


Create the PAM configuration file for passwdqc

Create a PAM configuration file for passwdqc by issuing the following command:

sudo vi /usr/share/pam-configs/passwdqc

and populate it with the following:

/usr/share/pam-configs/passwdqc
Name: passwdqc password strength checking
Default: yes
Priority: 1024
Conflicts: cracklib [maybe?]
Password-Type: Primary
Password:
  requisite pam_passwdqc.so min=disabled,10,8,8,8 similar=deny enforce=users ask_oldauthtok check_oldauthtok

Now issue the command:

sudo pam-auth-update

and ensure that the passwdqc password strength checking is enabled.

WARNING: Enabling the PAM passwdqc module will disable the PAM cracklib module.


Set the password strength policy

Issue the following command:

sudo vi /etc/pam.d/common-password

and populate it with the following:

/etc/pam.d/common-password
password   requisite pam_passwdqc.so min=disabled,10,8,8,8 max=40 similar=deny enforce=users ask_oldauthtok check_oldauthtok
password   [success=1 default=ignore]   pam_unix.so obscure use_authtok try_first_pass sha512
 
# here's the fallback if no module succeeds
password   requisite   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password   required   pam_permit.so

By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password.

The pam_passwdqc manpage provides a lot of information, but the above essentially disallows passwords from any single character class, enforces a minimum length of 10 characters for a password from any two character classes, a minimum length of 8 characters for a passphrase, a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes. The four character classes are made up of, digits, lower-case letters, upper-case letters, and other characters (such as '!' and '_') respectively. The above also enforces no passwords longer than 40 characters. The other options are clearly outlined in the pam_passwdqc man pages.

Each option can be customized to suit your environment. The above is actually less strict than the recommended default setting of “min=disabled,24,12,8,7” which can create some extremely difficult-to-crack passwords.

pam_passwdqc has no strange requirements, so even if your distribution does not provide it in packaged form, installing and compiling from source should cause no problems whatsoever.

The hashed passwords use a randomly generated salt.


Examples

password    requisite     pam_passwdqc.so min=disabled,12,8,6,5 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3