SUSE Support

Here When You Need Us

using pam_pwcheck and pam_cracklib at the same time

This document (7004596) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 10 Service Pack 2

Situation

You need to setup a password policy that covers the following functions:

- check password against dictionary
- password requires to have special characters (uppercase/lowercase, numbers or special characters)
- remember some of the last passwords
- minimal password length

No single pam module can handle all of this tasks altogether. When you try to combine pam_cracklib with pam_pwcheck you run into several errors like:

- you get error that the password is already used even if it is a brand new password
- you prior get asked about the new password before you will be asked for the old password
- the localisation does not work properly
- when you mistyped the password the first time you will be prompted to enter the password again but later neverttheless the password change fails

Resolution

To solve the issue you need to know:

- pam_cracklib uses /etc/security/opasswd only to read previous used password, it will not update this file
- pam_cracklib asks for the new password first and later for the old password
- pam_pwcheck will only use and update /etc/security/opasswd if the remember option is given

So to have pam_pwcheck working together with pam_cracklib create following pam chain in /etc/pam.d/common-password

password required pam_pwcheck.so
password required pam_cracklib.so use_authtok difok=3 retry=10 minlen=8 lcredit=0 ucredit=0 dcredit=-1 ocredit=-1
password required pam_pwcheck.so remember=5 use_authtok use_first_pass
password required pam_unix2.so nullok use_authtok use_first_pass
Adapt the options to pam_cracklib and the remember= option from pam_pwcheck as you need. Do not remove the use_authok or use_first_pass options. More informations on the options for pam_cracklib can be found in the man-page (man pam_cracklib)


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7004596
  • Creation Date: 05-Oct-2009
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.