HBC

PAM and the Bad password blues

Warning: Only try this at home! Using weak passwords on a computer that this is accessable from the wild and dark Internet, is tantamount to walking up to a spammer and saying “I’d simply love to be part of your zombie network—where do I sign up?”. I could safely do the following because this server is not accessible from the Internet and never will be, it’s a local test box for my own personal use.

I was creating a new user on a local CentOS 5.3 VirtualBox and while I was setting the password I received the following error: BAD PASSWORD: it is based on a dictionary word

After soul searching I found I didn’t feel coming up and then remembering a complicated enough password to make PAM happy, ie. not a dictionary word, long enough etc.

So instead I spent a while reading up on PAM—which, as it turns out, is a small team of alluring ladies and well worth stealing a look at.

Turns out my problem has a name, and that name is pam_cracklib.so. Ms. CrackLib will diligently check a new password against her dictionary and then check whether it is significantly different from the previous version, whether it is long enough, etc. Much of what she does is negotiable, but the dictionary check in the beginning she won’t budge on.

So either we mess with her dictionary reading abilities—by say giving her a blank dictionary or hiding her glasses—or we take her out of the loop completely. I opted for the latter and set about cutting her out of my life.

The surgery took place in /etc/pam.d/system-auth. I took the following lines:

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

and turned them into:

#password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass

Just commented out the pam_cracklib.so line and removed the use_authtok from the line below, otherwise passwd complains about Authentication information cannot be recovered

Leave a Reply

Your email address will not be published. Required fields are marked *