Policy in /etc/pam.d/password-auth is not being enforced
You have to check your /etc/pam.d/passwd
file if it includes /etc/pam.d/password-auth
or /etc/pam.d/system-auth
and to make required changed in file which is included.
In short:
An application that uses PAM can have a configuration file bearing its name in /etc/pam.d/
. If a file exists, the rules in that file are processed whenever the application calls a PAM authentication function.
Files like /etc/pam.d/system-auth
and to a larger extent /etc/pam.d/password-auth
are somewhat distribution-specific. Since no applications identify themselves as "system-auth" or "password-auth", these files are actually never called on their own. Instead, the contents of these files are pulled into other PAM configuration files with the "include" directive. That way, common settings for multiple applications can be stored in a single file.
Related videos on Youtube
Gbo
Updated on September 18, 2022Comments
-
Gbo almost 2 years
I've updated login.defs and password-auth to include a minimum length on passwords (12), but the minlen is not being enforced when I attempt to change a user's password with
passwd
.None of the password case policies are being enforced. I can enter 'aaaa1234' as a valid but weak and too short password. I am also able to enter dictionary words, such as 'password'. The same password can be reused.
In summary, none of the settings in
/etc/pam.d/password-auth
appear to be recognized.The password I'm entering for the following command is
blue1234
# passwd testy Changing password for user testy. New password: BAD PASSWORD: it is based on a dictionary word BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updated successfully.
Here's what was logged in
/var/log/secure
from the operation above. This is the only line for the event.Apr 1 11:41:37 myserver passwd: pam_unix(passwd:chauthtok): password changed for testy
config files
# login.defs # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN 12 # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 30 PASS_MIN_DAYS 1 PASS_MIN_LEN 12 PASS_WARN_AGE 14
.
# /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 minlen=12 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Why is the pam password policy not being enforced?
PS: This is a minimal installation.
-
roaima about 9 yearsFWIW the Debian (wheezy) man page for
login.defs
says, « Much of the functionality [...] is now handled by PAM. Thus,/etc/login.defs
is no longer used bypasswd
(1), or less used bylogin
(1), andsu
(1). » -
Gbo about 9 years@nwildner, some improvement when I
passwd
as that account. I can't type a dictionary word and have to have some complexity. That said, the minlen is still not being enforced. I can enter a 9 character password, where I specified a minimum 12 character password. -
Admin about 9 yearsHum. This could be related with the answer given.
system-auth
already have a dictionary filter, but no pass lenght enforcement :)
-
-
Gbo about 9 years
cat: /etc/pam.d/password: No such file or directory
(this is centos per tags on the question, fwiw) -
taliezin about 9 yearsI'll edit the answer: /etc/pam.d/passwd
-
Gbo about 9 yearsThat did it -
/etc/pam.d/passwd
points to/etc/pam.d/system-auth
. Updated my policy there and it is now being correctly implemented.