strong passwords with pam_cracklib

Traditionally I have checked weak passwords with jtr, but one problem is that you have to run it after a user already has a password.  A much more standard way is to check weak passwords with pam.  There are a couple modules for this – one is pam_cracklib.  Another is passwdqc.  I chose cracklib.  You should never use both.

Typically, you’ll edit a conf file in /etc/pam.d/ – normally like commmon-auth or common-password.  The entry you need to add is at the top.  All the entries are of course related to ‘password’.

password    requisite     pam_cracklib.so difok=2 minlen=10 dcredit=2 ocredit=2 try_first_pass retry=3

The fields are pretty straightforward.  Requisite means it’s required. difok specifies how many characters in your new password need to be different from the old password.  minlen is not as straightforward as it may seem.  It specifies the minimum length of the password, for sure, but you can get ‘credit’ for harder passwords.  This is where dcredit and ocredit come into play (amongst others).  dcredit=2 means if your password contains digits you get a bonus character. ocredit is the same thing but with special characters.  retry is the maximum trys you can have to change your password before you have to start again.

The cracklib also checks for particularly weak passwords (it runs them against the unix dictionary with some basic permutations/numbers etc). It’s not close to as strong as jtr, but still pretty darn good, and it’s nice to have your authentication stuff in one place.

The rest of the password rules come next, and should look something like the following.

password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

This checks the unix passwords, followed by the ldap. use_authtok means strong passwords are already enabled so the modules don’t need to check for themselves (it’d be redundant). The pam_fail indicates failure.

Anyways, though many distros have password checking by default, ubuntu doesn’t. It’s probably a good idea to turn it on if you have a multi-user system