Enforce strong passwords with pam_passwdqc

Vincent Danen show you a tool that can be customized to help users create appropriate passwords. Here is a short review of pam_passwdqc.

Password strength is always debatable; some users feel that a password consisting of their dog's name is sufficient; others feel that nothing less than a mix of upper and lower case letters with some numbers tossed in for good measure will do. One job of a system administrator is to ensure that everyone has relatively sane passwords, and this job has typically been done by the pam_cracklib module.

pam_cracklib is inserted into the pam (Pluggable Authentication Modules) stack so that when a user executes the passwd program, pam_cracklib comes into play and enforces certain definable rules on the passwords the user chooses. For instance, if the password is a common dictionary word, pam_cracklib will refuse the password, and the user will have to think of a new one.

While pam_cracklib has worked well enough, there are better tools available. One such is pam_passwdqc, a module that takes pam_cracklib's place in the pam stack. pam_passwdqc is far more sophisticated than pam_cracklib; it has support for passphrases, and it can also suggest passwords to users.

The heart of pam_passwdqc's configuration is the line inserted into the pam configuration file itself. A traditional password entry in the /etc/pam.d/passwd (or /etc/pam.d/system-auth on some newer systems) might look like:

password   required retry=3
password  sufficient nullok use_authtok md5 shadow use_first_pass

Although not all distributions provide pam_passwdqc, some distributions such as Openwall GNU/*/Linux, Annvix, SUSE, and Red Hat do. Once pam_passwdqc is downloaded and installed from the home page or from your distribution (using a tool such as apt or smart), you can enable it simply by changing the above to look like:

password      required min=disabled,12,8,6,5 max=40
passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
password  sufficient nullok use_authtok md5 shadow use_first_pass

The pam_passwdqc manpage provides a lot of information, but the above essentially disallows passwords from any single character class, enforces a minimum length of 12 characters for a password from any two character classes, a minimum length of 8 characters for a passphrase, a minimum length of 6 characters for a password from any three character classes, and a minimum length of five characters from four character classes. The four character classes are made up of, digits, lower-case letters, upper-case letters, and other characters (such as '!' and '_') respectively. The above also enforces no passwords longer than 40 characters. The other options are clearly outlined in the pam_passwdqc man pages.

Each option can be customized to suit your environment. The above is actually less strict than the recommended default setting of "min=disabled,24,12,8,7" which can create some extremely difficult-to-crack passwords.

pam_passwdqc has no strange requirements, so even if your distribution does not provide it in packaged form, installing and compiling from source should cause no problems whatsoever.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About Vincent Danen

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks

Free Newsletters, In your Inbox