Aside from the security concerns about doing this, which I agree with, but
still need to have this functionality.
Right now, if a user attempts to change a password that is based on a
dictionary word, it complains, and doesn't allow it.
I want to change it to compain, ask again, and allow it.
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shado
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
First I changed the Pam Module for passwd to use system-auth2 instead of
system-auth, so any changes to system-auth will only affect passwd.
If I eliminate the call to pam_cracklib.so, and remove use_authtok from pam_unix.so
I can enter passwords based on dictionary words, AND get an exit status of
0. BUT this doesn't warn the user that the password is based on
a dictionary word.
Changed the pam_cracklib.so from required to optional, and retry=3 to retry=1
switched in try_first_pass in place of use_authtok.
now, it warns the password is based on a dictionary word, asks a second
time, takes it, updates all files, but the end result gives the following error
Changing password for
(current) UNIX password:
BAD PASSWORD: it is based on a dictionary word
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error
The only problem here is that although everything "appears" to have been
updated, passwd exits with a status of 1, not 0, so my script which
runs the passwd routine, thinks the password changing failed, and
proceeds to logoff the user (which is what I want).
What do I need to do to get pam_cracklib.so to warn that the password is
weak, and Allow unix.so to update the password anyway, and NOT exit
with the error show above?
LIke I said, I understand the security implications here, but....
Thanks in advance.
ph:856.848.1000 Ext 220
SLACK Incorporated - An innovative information, education and management company