PAM!?!?!? WTF?!?! how do you SHUT IT OFF???

bandersnoot · #1 28th June 2009, 05:57 AM

I'm sure you think that's a pretty stupid question.

I have a fresh install of Fedora 11. I can't change my password without it complaining that it's a dictionary word (WHICH IT'S NOT); and it fails every time.

The GUI root password change utility doesn't work at all. The user GUI tool under Preferences>About Me doesn't work at all. I can never satisfy its password strength requirements. I can't find any kind of utility that will help this anywhere.

So I have to su and change my user password as root.

I have read the man pages for pam and am pretty sure that without a PhD in computer security I can't possibly tweak the configuration files to get rid of the horrific password strength requirement.

Is there going to be a fix for this? Or is it supposed to be this way? If passwd and PAM are supposed to "work" like this, please let me know so I can find a distro that doesn't use it.

Between this and the damn system-config-network thing, I am getting fed-up with Fedora 11..

EDITED TO ADD:

FIX FOUND: # create-cracklib-dict /usr/share/dict/words

***Hlingler*** · #2 28th June 2009, 06:22 AM

Reminds me of my all-time favorite "frustration" post: Disable the damn firewall!!!!!!

Quote:

Originally Posted by mnisay

spam score 5.1

SUBJECT = 5.0
PUNCTUATION MARK = 0.1

Although here, I'd give:
PUNCTUATION MARK = 8.0
SPAM SCORE = 0.0

Quote:

I have read the man pages for pam and am pretty sure that without a PhD in computer security I can't possibly tweak the configuration files to get rid of the horrific password strength requirement.

http://www.phoenix.edu/

V

bandersnoot · #3 28th June 2009, 06:31 AM

Quote:

Originally Posted by Hlingler

Reminds me of my all-time favorite "frustration" post: Disable the damn firewall!!!!!!Although here, I'd give:
PUNCTUATION MARK = 8.0
SPAM SCORE = 0.0http://www.phoenix.edu/

V

Okay thanks, that made me smile.

scottro · #4 28th June 2009, 06:34 AM

Hrrm, that's a new one.

There is a minimum password length set in /etc/login.defs but I don't see anything in pam off the top of my head for password strength.

It's the weekend, so this might not get too many views, but hopefully, someone who knows the answer will see it.

I believe though, that it is supposed to be this way.

As mentioned, I've never had a password so weak that it's been an issue, so I'm not sure which other distros act the same way.

bandersnoot · #5 28th June 2009, 06:54 AM

Quote:

Originally Posted by scottro

Hrrm, that's a new one.

There is a minimum password length set in /etc/login.defs but I don't see anything in pam off the top of my head for password strength.

It's the weekend, so this might not get too many views, but hopefully, someone who knows the answer will see it.

I believe though, that it is supposed to be this way.

As mentioned, I've never had a password so weak that it's been an issue, so I'm not sure which other distros act the same way.

My passwords are always two unrelated words and a number.

I think something's broken. I can't change any password to anything without getting:

$ passwd
Changing password for user yours-truly.
Changing password for yours-truly.
(current) UNIX password:
New password:
Retype new password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: it is based on a dictionary word

scottro · #6 28th June 2009, 07:13 AM

It's possible that something is broken.

Actually, when I think about it, most of the time I set the password as root, since in a Fedora system, the user can't login until root gives them a password.

rhlnair87 · #7 28th June 2009, 08:14 AM

hi dude,

ur culprit is the line :-
password requisite /lib/security/$ISA/pam_cracklib.so

which is present in /etc/pam.d/sysem-auth

this module checks the password strength against the system dictionary.

Regards,
Rahul N.

sonoran · #8 28th June 2009, 12:01 PM

Quote:

Originally Posted by bandersnoot

I have a fresh install of Fedora 11. I can't change my password without it complaining that it's a dictionary word (WHICH IT'S NOT); and it fails every time.

Have you tried upgrading your dictionary?

sideways · #9 28th June 2009, 12:24 PM

just add dictpath=/dev/null to the cracklib.so line in /etc/pam.d/password-auth

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 dictpath=/dev/null
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

see 'man pam_cracklib'

scottro · #10 28th June 2009, 02:19 PM

Well rhlnair87 and sideways, thanks a lot. I WAS going to procrastinate doing my exercise this morning, as this was something I didn't know, but the two of you managed to take away that excuse. :-(

Seriously, thanks to both of you, I was going to research this today, as it intrigued me.

bandersnoot · #11 28th June 2009, 06:51 PM

Quote:

Originally Posted by sideways

just add dictpath=/dev/null to the cracklib.so line in /etc/pam.d/password-auth

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 dictpath=/dev/null
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

see 'man pam_cracklib'

Did not work. added dictpath=/dev/null. Exact same behaviour as before.

I tried commenting out the offending line, and it did the same thing.

Do I have to restart or reset something to make this effective?

Also tried editing the system-auth, and it gave:

/dev/null.pwd: No such file or directory
PWOpen: No such file or directory

- Tim

***Hlingler*** · #12 28th June 2009, 06:55 PM

I would try at least re-start X server, if that doesn't work, try a re-boot. See what happens....

V

bandersnoot · #13 28th June 2009, 08:08 PM

Quote:

Originally Posted by Hlingler

I would try at least re-start X server, if that doesn't work, try a re-boot. See what happens....

V

Rebooting did not work. absolutely no difference, it prints "BAD PASSWORD: it is based on a dictionary word" three times.

- Tim

sideways · #14 28th June 2009, 08:29 PM

I don't recommend it but try zeroing the directory then (as root)

Code:

create-cracklib-dict /dev/null

stefan1975 · #15 28th June 2009, 08:36 PM

i might be mistaken, but doesn't fedora just warn in case of bad passwords and not actually prohibit it?
I am pretty sure that when I do a:

su -c 'passwd yours-truly'

it works for me, not matter how bad the password it, or is that just on RHEL5?