[prev in list] [next in list] [prev in thread] [next in thread]
List: pam-list
Subject: trying to get RH7.2 to allow dict based passwords
From: George Gallen <ggallen () slackinc ! com>
Date: 2003-01-23 19:40:15
[Download RAW message or body]
Aside from the security concerns about doing this, which I agree with, but
still need to have this functionality.
Right now, if a user attempts to change a password that is based on a
dictionary word, it complains, and doesn't allow it.
I want to change it to compain, ask again, and allow it.
Original system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shado
w
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
First I changed the Pam Module for passwd to use system-auth2 instead of
system-auth, so any changes to system-auth will only affect passwd.
If I eliminate the call to pam_cracklib.so, and remove use_authtok from
pam_unix.so
I can enter passwords based on dictionary words, AND get an exit status of
0. BUT this doesn't warn the user that the password is based on
a dictionary word.
Next Try:
Changed the pam_cracklib.so from required to optional, and retry=3 to
retry=1
switched in try_first_pass in place of use_authtok.
now, it warns the password is based on a dictionary word, asks a second
time, takes it, updates all files, but the end result gives the following
error
Changing password for
(current) UNIX password:
New password:
BAD PASSWORD: it is based on a dictionary word
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error
The only problem here is that although everything "appears" to have been
updated, passwd exits with a status of 1, not 0, so my script which
runs the passwd routine, thinks the password changing failed, and
proceeds to logoff the user (which is what I want).
What do I need to do to get pam_cracklib.so to warn that the password is
weak, and Allow unix.so to update the password anyway, and NOT exit
with the error show above?
LIke I said, I understand the security implications here, but....
Thanks in advance.
George
George Gallen
Senior Programmer/Analyst
Accounting/Data Division
ggallen@slackinc.com
ph:856.848.1000 Ext 220
SLACK Incorporated - An innovative information, education and management
company
http://www.slackinc.com
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2654.45">
<TITLE>trying to get RH7.2 to allow dict based passwords</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Arial">Aside from the security concerns about doing this, which \
I agree with, but</FONT> <BR><FONT SIZE=2 FACE="Arial">still need to have this \
functionality.</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">Right now, if a user attempts to change a password that \
is based on a</FONT> <BR><FONT SIZE=2 FACE="Arial">dictionary word, it complains, and \
doesn't allow it.</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">I want to change it to compain, ask again, and allow it. \
</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">Original system-auth:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">#%PAM-1.0</FONT>
<BR><FONT SIZE=2 FACE="Arial"># This file is auto-generated.</FONT>
<BR><FONT SIZE=2 FACE="Arial"># User changes will be destroyed the next time \
authconfig is run.</FONT> <BR><FONT SIZE=2 \
FACE="Arial">auth \
required /lib/security/pam_env.so</FONT> <BR><FONT \
SIZE=2 FACE="Arial">auth \
sufficient /lib/security/pam_unix.so likeauth nullok</FONT> \
<BR><FONT SIZE=2 FACE="Arial">auth \
required /lib/security/pam_deny.so</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">account \
required /lib/security/pam_unix.so</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">password \
required /lib/security/pam_cracklib.so retry=3 \
type=</FONT> <BR><FONT SIZE=2 FACE="Arial">password \
sufficient /lib/security/pam_unix.so nullok use_authtok md5 \
shado</FONT> <BR><FONT SIZE=2 FACE="Arial">w</FONT>
<BR><FONT SIZE=2 FACE="Arial">password \
required /lib/security/pam_deny.so</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">session \
required /lib/security/pam_limits.so</FONT> <BR><FONT \
SIZE=2 FACE="Arial">session \
required /lib/security/pam_unix.so</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">First I changed the Pam Module for passwd to use \
system-auth2 instead of</FONT> <BR><FONT SIZE=2 FACE="Arial"> \
system-auth, so any changes to system-auth will only affect passwd.</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">If I eliminate the call to pam_cracklib.so, and remove \
use_authtok from pam_unix.so</FONT> <BR><FONT SIZE=2 FACE="Arial"> I can enter \
passwords based on dictionary words, AND get an exit status of</FONT> <BR><FONT \
SIZE=2 FACE="Arial"> 0. BUT this doesn't warn the user that the password is \
based on</FONT> <BR><FONT SIZE=2 FACE="Arial"> a dictionary word.</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Next Try:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Changed the pam_cracklib.so from required to optional, \
and retry=3 to retry=1</FONT> <BR><FONT SIZE=2 FACE="Arial">switched in \
try_first_pass in place of use_authtok.</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">now, it warns the password is based on a dictionary \
word, asks a second</FONT> <BR><FONT SIZE=2 FACE="Arial">time, takes it, updates all \
files, but the end result gives the following error</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">Changing password for </FONT>
<BR><FONT SIZE=2 FACE="Arial">(current) UNIX password:</FONT>
<BR><FONT SIZE=2 FACE="Arial">New password:</FONT>
<BR><FONT SIZE=2 FACE="Arial">BAD PASSWORD: it is based on a dictionary word</FONT>
<BR><FONT SIZE=2 FACE="Arial">Enter new UNIX password:</FONT>
<BR><FONT SIZE=2 FACE="Arial">Retype new UNIX password:</FONT>
<BR><FONT SIZE=2 FACE="Arial">passwd: Authentication token manipulation error</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">The only problem here is that although everything \
"appears" to have been</FONT> <BR><FONT SIZE=2 FACE="Arial">updated, passwd \
exits with a status of 1, not 0, so my script which</FONT> <BR><FONT SIZE=2 \
FACE="Arial">runs the passwd routine, thinks the password changing failed, and</FONT> \
<BR><FONT SIZE=2 FACE="Arial">proceeds to logoff the user (which is what I \
want).</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">What do I need to do to get pam_cracklib.so to warn that \
the password is</FONT> <BR><FONT SIZE=2 FACE="Arial">weak, and Allow unix.so to \
update the password anyway, and NOT exit</FONT> <BR><FONT SIZE=2 FACE="Arial">with \
the error show above?</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">LIke I said, I understand the security implications \
here, but....</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">Thanks in advance.</FONT>
<BR><FONT SIZE=2 FACE="Arial">George</FONT>
</P>
<P><B><FONT COLOR="#800000" SIZE=2 FACE="Times New Roman">George Gallen</FONT></B>
<BR><FONT COLOR="#800000" SIZE=2 FACE="Times New Roman">Senior \
Programmer/Analyst</FONT> <BR><FONT COLOR="#800000" SIZE=2 FACE="Times New \
Roman">Accounting/Data Division</FONT> <BR><FONT COLOR="#800000" SIZE=2 FACE="Times \
New Roman">ggallen@slackinc.com</FONT> <BR><FONT COLOR="#800000" SIZE=2 FACE="Times \
New Roman">ph:856.848.1000 Ext 220</FONT> </P>
<P><B><FONT COLOR="#800000" SIZE=2 FACE="Times New Roman">SLACK \
Incorporated</FONT></B><FONT COLOR="#800000" SIZE=2 FACE="Times New Roman"> -<I> An \
innovative information, education and management company</I></FONT> <BR><U><FONT \
COLOR="#0000FF" SIZE=2 FACE="Times New Roman"><A HREF="http://www.slackinc.com" \
TARGET="_blank">http://www.slackinc.com</A></FONT></U> </P>
</BODY>
</HTML>
_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic