All SysAdmins know the importance of using strong passwords. These are the life blood of our systems, since a weak password will allow an adversary to enter our systems with a minimal amount of work. There are dozens of tools that can generate strong passwords, as well as a number of tools that can be used to force users to select strong passwords when they change their passwords.
The most common way to enforce strong passwords is through the pam_cracklib.so PAM plug-in. This useful module checks the input password against a series of rules. The rules cover a wide variety of criteria, including:
1. Is the password a palindrome?
2. Is the only difference between the new and old password a change of case?
3. Is the new password similar to the old password?
4. Is the new password too small?
5. Is the new password a rotated version of the old password?
6. Does the new password contain the user’s name?
The pam_cracklib.so shared library contains a number of options to control the size and strength of the password as well as the number of times the user can retry changing their password after a failure. These options are passed to the pam_cracklib.so plug-in via one more options specified in the file for each facility you need to enforce strong passwords on. Here is one example:
$ cd /etc/pam.d && grep pam_cracklib.so password-auth
password requisite pam_cracklib.so try_first_pass retry=3 type=
All of the options are documented in the pam_cracklib(8) manual page, so I won’t go into any additional detail on them. While I was reading about this module I found out that the libcrack.so library is the heart and sole of password complexity checking, and there is a good amount of documentation that describes how to integrate this with your software. It’s also neat to see installers taking advantage of this. I recently input a weak Fedora password to see what would happen, and to my amazement Fedora immediately printed a warning tell me that I was using a weak password. We all know we need to use strong passwords, and pam_cracklib.so can ensure that you and your users are actively doing so!