Password strength is always debatable; some users feel that a
password consisting of their dog’s name is sufficient; others feel that nothing
less than a mix of upper and lower case letters with some numbers tossed in for
good measure will do. One job of a system administrator is to ensure that
everyone has relatively sane passwords, and this job has typically been done by
the pam_cracklib module.

pam_cracklib is inserted into the pam (Pluggable
Authentication Modules) stack so that when a user executes the passwd program,
pam_cracklib comes into play and enforces certain definable rules on the
passwords the user chooses. For instance, if the password is a common
dictionary word, pam_cracklib will refuse the password, and the user will have
to think of a new one.

While pam_cracklib has worked well enough, there are better
tools available. One such is pam_passwdqc,
a module that takes pam_cracklib’s place in the pam stack. pam_passwdqc is far
more sophisticated than pam_cracklib; it has support for passphrases, and it
can also suggest passwords to users.

The heart of pam_passwdqc’s configuration is the line inserted
into the pam configuration file itself. A traditional password entry in the /etc/pam.d/passwd (or /etc/pam.d/system-auth on some newer
systems) might look like:

password   required     pam_cracklib.so retry=3
password  sufficient  pam_unix.so nullok use_authtok md5 shadow use_first_pass

Although not all distributions provide pam_passwdqc, some
distributions such as Openwall GNU/*/Linux, Annvix, SUSE, and Red Hat do. Once pam_passwdqc is downloaded and
installed from the home page or from your distribution (using a tool such as
apt or smart), you can enable it simply by changing the above to look like:

password      required      pam_passwdqc.so min=disabled,12,8,6,5 max=40
passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
password  sufficient  pam_unix.so nullok use_authtok md5 shadow use_first_pass

The pam_passwdqc
manpage
provides a lot of information, but the above essentially disallows
passwords from any single character class, enforces a minimum length of 12
characters for a password from any two character classes, a minimum length of 8
characters for a passphrase, a minimum length of 6 characters for a password
from any three character classes, and a minimum length of five characters from
four character classes. The four character classes are made up of, digits,
lower-case letters, upper-case letters, and other characters (such as ‘!’ and
‘_’) respectively. The above also enforces no passwords longer than 40
characters. The other options are clearly outlined in the pam_passwdqc man
pages.

Each option can be customized to suit your environment. The
above is actually less strict than the recommended default setting of “min=disabled,24,12,8,7”
which can create some extremely difficult-to-crack passwords.

pam_passwdqc has no strange requirements, so even if your
distribution does not provide it in packaged form, installing and compiling
from source should cause no problems whatsoever.

Delivered each Tuesday, TechRepublic’s free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!