[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Which conf file handles password complexity during account creation



On Fri, 2020-10-23 at 22:11 -0400, Jeffrey Walton wrote:
> On Fri, Oct 23, 2020 at 3:01 PM Broking, Brian R <brb10 psu edu>
> wrote:
> > It could be pam_pwquality.so
> > You may also want to check /etc/security/pwquality.conf
> > 
> > It could also be pam_passwdqc.so  or pam_cracklib.so depending on
> > the system builders choice.
> > 
> > This assumes you are doing local authentication and not using IPA
> > which would have it's own Password Policy.
> > 
> > Good Luck.  Been there and know what you are dealing with.
> 
> Thanks. I commented the pam_pwquality.so lines in passwd and
> system-auth. I now get "passwd: Authentication token manipulation
> error". I guess I went down a rabbit hole.

You can either disable some of the password complexity rules via
modification of /etc/security/pwquality.conf however not everything can
be disabled there. (It also depends on version of the libpwquality
library on your system.)

Or you can drop the pam_pwquality in password-auth and system-auth, but
then you have to modify the options for the pam_unix there so it will
prompt for the password by itself. Just drop the 'try_first_pass
use_authtok' options and it should work fine.


> Does anyone know how to disable complexity requirements? The stuff I
> am finding on the web appears outdated. Or, where are the procedures
> documented?
> 
> Based on mailing list questions and the Unix and Linux Stack Exchange
> questions (and views for each question), it looks like about 15,000
> people have had problems with this. If each user spends 30 minutes on
> the problem, that's 7,500 man-hours wasted. It is probably time the
> PAM folks fix the problem.

It is impossible to "fix" - The fix would have to be: "Replace PAM with
something that is not as complex and configurable, but it has some
limited set of options which are easy to configure." And of course that
fix would break some other use cases which require the configurability
and complexity of the PAM subsystem.

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]