Guidance using pam_passwdqc module and Army Regulation 25-2

Solar Designer solar at openwall.com
Thu Jun 3 15:33:28 UTC 2004 

On Thu, Jun 03, 2004 at 04:42:37PM +1200, William Brower wrote:
> I got it working with the following:
> 
> password required   /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass 
> md5 shadow
> password required   /lib/security/$ISA/pam_deny.so

Yes, that's a correct combination of settings and indeed it should
work, but you should have also been able to get it working with the
unmodified pam_unix line (with "use_authtok" on it) and no
"ask_oldauthtok" option to pam_passwdqc.

> I'll also think about the 'required' and 'sufficient' settings - unclear 
> to me right now.

Red Hat could have used "required" for pam_unix as well and then not
need the pam_deny line.

> The AR25-2 regulation actually specifies that at least 2 characters from 
> each of the four character groups be used in a password at least 10 
> characters long. I don't see an obvious way to enforce that with 
> passwdqc,

You might be misreading the requirement in the regulation, although it
is poorly worded and I am not entirely sure myself.

Quoting your previous e-mail, --

| (2) The password will be a mix of uppercase letters, lowercase
| letters, numbers, and special characters, including at least two of each
| of the four types of characters (for example, x$TloTBn2!) and can be
| user generated.

Don't they require at least two of the four _types_ of characters, not
at least two _characters_ of each type?  The example password they
give contains only one instance of a digit.

> but I can get closer than before with this option:
> 
> password required  /lib/security/$ISA/pam_passwdqc.so ask_oldauthtok 
> min=disabled,disabled,disabled,disabled,10

With the above correction, the most liberal setting which still
satisfies the regulation is:

	min=disabled,10,10,10,10

But for practical use, I recommend something like:

	min=disabled,24,12,10,10

> Perhaps there is something I could do with the random=N option, but it 
> isn't obvious to me how large a bit-value to select to get the desired 
> enforcement. Ideas?

The default at 42 bits is reasonable if your system uses a modern
password hashing method.  Please note that this option affects only
machine-generated passwords; it is not an enforcement setting for
user-chosen ones.

-- 
Alexander

More information about the Pam-list mailing list