PAM is the answer you seek (Pluggable Authentication Module).

The best reference on PAM that I have found yet is Linux System Security (I
don't have the book in front of me, but it has a yellow cover showing an
admin trying to plug an overflowing dam), which has an entire chapter
dedicated to the subject. There are online PAM references too, but I found
them confusing until I read the afformentioned book. The online references
are mostly geared to developers of PAM modules.

On a Linux machine that has PAM installed (most do), there is a pam.conf in
/etc, or more-likely, a pam.d directory. The /etc/pam.d/ directory is a
little easier to understand:

/etc/pam.d/$ ls

chfn
chsh
drakconf
kbdrate
kde
linuxconf
linuxconf-pair
login
other
passwd
secure-mcserv
sshd
su
sudo
system-auth
timeconfig-auth
vlock
xdm
xserver
/etc/pam.d/$

        Each file in this directory is for a PAM enabled app. These are the
configuration files to determine their authentication behaviour. There are
4 classes of behaviour: auth, account, password, and session. These classes
are evaluted in the order listed. Each module (located in /lib/security/ on
Red-Hat-like boxen) is valid for only a few of these (RTM). Each of these
classes have one of three options: required, sufficient, optional (I seem to
recall there is one other option too, but I don't remember it).

        Required: means the conditions of the module must be met to evalute
the next listed module.
        Sufficient: means skip the rest of the listed modules for this
class.
        Optional: optional.

        To do what you are trying to do, go to /etc/pam.d/passwd:

insert the following line as the first of the "password" class:

password required /lib/security/pam_cracklib.so retry=3

        This will force a cracklib check. It will NOT, however, prevent
someone from entering the same lousy password more than the number of
"retrys." It will accept the lousy password at that point after warning the
user.

        The final /etc/pam.d/passwd for a stock Mandrake box looks like
this:
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3
password required /lib/security/pam_pwdb.so use_authtok nullok shadow
md5

        This uses the /etc/shadow file for the password hash, references the
passord file, requires a cracklib check, then stores the has as an md5 hash.

        If you have an /etc/pam.conf it is a little different. You will
have a field specifying the applications that are PAM enabled. If an app
doesn't have a PAM entry in /etc/pam.conf or /etc/pam.d/* then it will use
the entries for "other" which should be VERY restrictive.

        Read the PAM chapter in the book that I referenced and all things
PAM will make sense.

-Alan

-----Original Message-----
From: Langa Kentane [mailto:evabluntedearthling.net]
Sent: Tuesday, May 22, 2001 12:47 PM
To: Focus-Linux
Cc: Linux-Admin
Subject: integrating cracklib into the passwd tool

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings gurus.
I feel like experimenting with Linux security, crack lib and the
password tool.

What I basically want to do is to make the linux passwd command use
cracklib for testing password strength.
How can I go about doing this?

Langa Kentane [CCNA CCSA MCSE CNA]
                 __ _ Tel: +27 11 443 7467
              / / (_)__ __ ____ __
             / /__/ / _ \/ // /\ \/ /
            /____/_/_//_/\_,_/ /_/\_\
   * * * THE CHOICE OF A GNU GENERATION * * *
            http://evablunted.nav.to/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOwmPSraBmUoKQx8tEQKZnACdFhwSwVTU6LvuLN/aPHdgTwL48+8AoJ8h
tcJLkfLgHeko9y00OCLkiTmi
=N29V
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]