Policy in /etc/pam.d/password-auth is not being enforced

linux centos login password

21,998

You have to check your /etc/pam.d/passwd file if it includes /etc/pam.d/password-auth or /etc/pam.d/system-auth and to make required changed in file which is included.

In short:
An application that uses PAM can have a configuration file bearing its name in /etc/pam.d/. If a file exists, the rules in that file are processed whenever the application calls a PAM authentication function.

Files like /etc/pam.d/system-auth and to a larger extent /etc/pam.d/password-auth are somewhat distribution-specific. Since no applications identify themselves as "system-auth" or "password-auth", these files are actually never called on their own. Instead, the contents of these files are pulled into other PAM configuration files with the "include" directive. That way, common settings for multiple applications can be stored in a single file.

21,998

Gbo

Updated on September 18, 2022

Comments

Gbo almost 2 years

I've updated login.defs and password-auth to include a minimum length on passwords (12), but the minlen is not being enforced when I attempt to change a user's password with passwd.

None of the password case policies are being enforced. I can enter 'aaaa1234' as a valid but weak and too short password. I am also able to enter dictionary words, such as 'password'. The same password can be reused.

In summary, none of the settings in /etc/pam.d/password-auth appear to be recognized.

The password I'm entering for the following command is blue1234

# passwd testy
Changing password for user testy.
New password: 
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

Here's what was logged in /var/log/secure from the operation above. This is the only line for the event.

Apr  1 11:41:37 myserver passwd: pam_unix(passwd:chauthtok): password changed for testy

config files

# login.defs

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN     12
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   30
PASS_MIN_DAYS   1
PASS_MIN_LEN     12
PASS_WARN_AGE   14

# /etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth        required      pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 minlen=12
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Why is the pam password policy not being enforced?

PS: This is a minimal installation.

roaima about 9 years

FWIW the Debian (wheezy) man page for login.defs says, « Much of the functionality [...] is now handled by PAM. Thus, /etc/login.defs is no longer used by passwd(1), or less used by login(1), and su(1). »
Gbo about 9 years

@nwildner, some improvement when I passwd as that account. I can't type a dictionary word and have to have some complexity. That said, the minlen is still not being enforced. I can enter a 9 character password, where I specified a minimum 12 character password.
Admin about 9 years

Hum. This could be related with the answer given. system-auth already have a dictionary filter, but no pass lenght enforcement :)

Gbo about 9 years

cat: /etc/pam.d/password: No such file or directory (this is centos per tags on the question, fwiw)
taliezin about 9 years

I'll edit the answer: /etc/pam.d/passwd
Gbo about 9 years

That did it - /etc/pam.d/passwd points to /etc/pam.d/system-auth. Updated my policy there and it is now being correctly implemented.