using pam_pwcheck and pam_cracklib at the same time
This document (7004596) is provided subject to the disclaimer at the end of this document.
Environment
Situation
- check password against dictionary
- password requires to have special characters (uppercase/lowercase, numbers or special characters)
- remember some of the last passwords
- minimal password length
No single pam module can handle all of this tasks altogether. When you try to combine pam_cracklib with pam_pwcheck you run into several errors like:
- you get error that the password is already used even if it is a brand new password
- you prior get asked about the new password before you will be asked for the old password
- the localisation does not work properly
- when you mistyped the password the first time you will be prompted to enter the password again but later neverttheless the password change fails
Resolution
- pam_cracklib uses /etc/security/opasswd only to read previous used password, it will not update this file
- pam_cracklib asks for the new password first and later for the old password
- pam_pwcheck will only use and update /etc/security/opasswd if the remember option is given
So to have pam_pwcheck working together with pam_cracklib create following pam chain in /etc/pam.d/common-password
password required pam_pwcheck.so password required pam_cracklib.so use_authtok difok=3 retry=10 minlen=8 lcredit=0 ucredit=0 dcredit=-1 ocredit=-1 password required pam_pwcheck.so remember=5 use_authtok use_first_pass password required pam_unix2.so nullok use_authtok use_first_passAdapt the options to pam_cracklib and the remember= option from pam_pwcheck as you need. Do not remove the use_authok or use_first_pass options. More informations on the options for pam_cracklib can be found in the man-page (man pam_cracklib)
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7004596
- Creation Date: 05-Oct-2009
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com