How do I disable or modify pam’s password requirements?
https://superuser.com/questions/647654/how-do-i-disable-or-modify-pams-password-requirements
Asked 12 years, 3 months ago
Modified 9 years, 2 months ago
Viewed 35k times
11
I’m using Fedora 19. By default it’s setup with pam to disable bad passwords, like “password”. This is good. Trying to change this default is infuriating. This is a box for testing internal stuff, not connected to the internet, nor any machine that is. Bad passwords facilitate the testing process. Alternatively, how the hell do you change password requirements at all??
system-auth
man pam_cracklib has some great examples of setting different password requirements. So I open up /etc/pam.d/system-auth, which is where you see lines like:
#%PAM-1.0
This file is auto-generated.
User changes will be destroyed the next time authconfig is run.
password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
headdesk. In my experience, warnings like this mean your changes are wiped every time the package manager is run and/or randomly.
authconfig
So…authconfig is the next step. I look for all files named “authconfig”. /etc/sysconfig/authconfig looks promising. And, no warning at the top about destroying my edits on a whim. I find this line USEPWQUALITY=yes and change it. Now I run:
authconfig –test
pam_pwquality is enabled (try_first_pass retry=3 authtok_type=)
wtf. So let's read man authconfig a little closer. Oh! Looks like that file isn't read by authconfig, it's changed. So....how do you configure authconfig? The manual suggests system-config-authentication, which I install and doesn't provide anything resembling a checkbox to disable pam_pwquality. The next suggestion from the manual is command line options. Great! I love command line tools. Only, none of the documented command line options disable pam_pwquality.
pwquality.conf
Thanks to Aaron's answer, I learned that a couple years ago fedora decided to make /etc/security/pwquality.conf the place to configure password quality requirements. Unfortunately, as documented in the file and in man 5 pwquality.conf, there (1) isn't a way to disable the dictionary checking and (2) can't set allowed password length below six.
linuxfedorapasswordspam
Share
Improve this question
Follow
edited Sep 20, 2013 at 16:59
asked Sep 19, 2013 at 17:15
djeikyb's user avatar
djeikyb
96111 gold badge77 silver badges1515 bronze badges
If it's internal why is Pam installed or even enabled? –
Ramhound
CommentedSep 19, 2013 at 17:23
2
@Ramhound because fedora is infested with pam. yum remove pam removes, as far as I can tell by the time it takes to scroll all its depending packages, everything. Including yum and systemd. Also, disabling pam feels like a sledgehammer, when I think I just want to use sand paper. –
djeikyb
CommentedSep 19, 2013 at 17:47
Add a comment
5 Answers
Sorted by:
Highest score (default)
5
After a cursory look at the source code in /usr/sbin/authconfig and /usr/share/authconfig/authinfo.py:
The man page is incomplete, the complete list of options accepted by the script is in authconfig --help
Everything can be overridden on the command-line (even /etc/security/pwquality.conf settings like password minimum length), except pwquality itself. IMHO, this is a bug and should be reported.
From authinfo.py line 2489 and 2156:
def read(self):
self.readSysconfig()
...
self.readPAM(ref)
...
First readSysconfig reads /etc/sysconfig/authconfig ; then what you put there is overwritten by readPAM with what is in /etc/pam.d/* (especially password_auth* and system_auth*):
if module.startswith("pam_cracklib") or module.startswith("pam_pwquality"):
self.setParam("enablePWQuality", True, ref)
TL;DR: for the options which are not overriden (or cannot be), the settings are taken from the current configuration including files which are tagged autogenerated. To make it work, edit /etc/sysconfig/authconfig and remove lines shown by grep -E pwq\|crack /etc/pam.d/*
Edit: There is a second bug, which makes the advice above still not work: line 2248:
# Special handling for pam_pwquality and pam_passwdqc: there can be
# only one.
if self.enablePWQuality and self.enablePasswdQC:
self.setParam("enablePasswdQC", False, ref)
if not self.enablePWQuality and not self.enablePasswdQC:
self.setParam("enablePWQuality", True, ref)
You have to chose one of the two implementation of quality control, or one will be chosen for you ! Combined with first bug, this makes it impossible to disable.
Share
Improve this answer
Follow
edited Mar 29, 2015 at 15:16
answered Mar 29, 2015 at 13:25
eddygeek's user avatar
eddygeek
19111 silver badge88 bronze badges
2 years later on fedora 26 alpha the situation remains the same –
eddygeek
CommentedMar 15, 2017 at 23:54
Add a comment
2
You can take manual control over your system-auth file. Create a new file (you could start by copying system-auth-ac), and change the system-auth symlink to point at the new file.
This makes it your responsibility to update this part of your PAM configuration, as authconfig will no longer touch the symlink or the file it points to. However, authconfig will still update the system-auth-ac file, so you can continue to use that as a reference if you need to. With some cleverness, you may even be able to include it into your local copy, but how to do that is beyond the scope of this question.
You should also check for other symlinks, such as password-auth. You may need to give them the same treatment.
From the authconfig(8) manpage, under Files:
/etc/pam.d/system-auth
Common PAM configuration for system services which include it using
the include directive. It is created as symlink and not relinked if
it points to another file.
/etc/pam.d/system-auth-ac
Contains the actual PAM configuration for system services and is the
default target of the /etc/pam.d/system-auth symlink. If a local
configuration of PAM is created (and symlinked from system-auth
file) this file can be included there.
So if system-auth is a file, then authconfig changes it to link to system-auth-ac. But if system-auth is a symlink, then authconfig leaves it alone.
Share
Improve this answer
Follow
answered Oct 19, 2016 at 23:56
Jander's user avatar
Jander
87466 silver badges88 bronze badges
Add a comment
1
It looks to be configurable through /etc/security/pwquality.conf
Source: https://fedoraproject.org/wiki/Features/PasswordQualityChecking
Share
Improve this answer
Follow
answered Sep 19, 2013 at 21:19
Aaron Okano's user avatar
Aaron Okano
13622 bronze badges
Thanks, I hadn't seen that yet. Unfortunately, pwquality.conf doesn't support disabling dictionary checks or disabling password length checks. –
djeikyb
CommentedSep 20, 2013 at 16:36
Maybe the suggestion in this post would work? serverfault.com/questions/444258/… –
Aaron Okano
CommentedSep 21, 2013 at 0:46
i.e. remove the module from system-auth and also set USEPWQUALITY=no and then run authconfig --update. –
Aaron Okano
CommentedSep 21, 2013 at 0:47
Unfortunately (as mentioned in the question), running authconfig --updateall resets the files. I'm thoroughly perplexed at that answer, since it directly contradicts the behaviour I'm observing. –
djeikyb
CommentedSep 21, 2013 at 0:58
I should also note, just setting USEPWQUALITY=no and/or USECRACKLIB=no doesn't solve my problem either, even before running authconfig. –
djeikyb
CommentedSep 21, 2013 at 0:58
Add a comment
1
You can still change from the command line. You get a warning, but it will let you set a password that is too short, as well as one that does not meet complexity rules.
Share
Improve this answer
Follow
answered Dec 8, 2013 at 20:49
user280281's user avatar
user280281
1911 bronze badge
This is absolutely not the behaviour I experience with Fedora 19. –
djeikyb
CommentedDec 9, 2013 at 1:26
@djeikyb run the passwd command as root (Either with sudo passwd or after su - to root terminal. –
Nick
CommentedDec 18, 2013 at 21:06
@Nick That doesn't disable or modify pam's password requirements. –
djeikyb
CommentedDec 18, 2013 at 23:34
@djeikyb It does not change the requirement, but it bypasses it. When you run passwd as root, it will ignore the password policies. If you just need to set it once and forget it, then that will work. If you are trying to set it so each user can freely change their passwords, then you need another solution. –
Nick
CommentedDec 19, 2013 at 16:46
1
@Nick I see. Yes, root can use passwd without being f-d with by pam. Little to do with the actual question, but it does make the claim in this "answer" true. –
djeikyb
CommentedDec 19, 2013 at 20:22
Show 1 more comment
0
I just found this question based on a related search, and I think I have an answer for you.
Fedora creates symbolic links to the authconfig generated files. i.e.. system-auth links to system-auth-ac. If you make system-auth its own file, then theoretically any future changes made by auth-config will still update system-auth-ac but leave your modified files unchanged.
It's actually quite elegant, but I only discovered it when wondering what the *-ac files did.
Share
Improve this answer
Follow
edited Feb 15, 2014 at 3:46
Roney Michael's user avatar
Roney Michael
1,06611 gold badge1414 silver badges2222 bronze badges
answered Feb 15, 2014 at 0:13
Cyclone's user avatar
Cyclone
10911 bronze badge
This doesn't work. The next run of authconfig (e.g. authconfig --updateall) will delete your file and symlink it back to the -ac file. –
docwhat
CommentedApr 15, 2014 at 17:09
@TheDoctorWhat Is that so? Now it doesn't make any sense too me why they would do it that way if it wasn't to allow persistence of local changes with an easy fallback to the managed configuration. Oh well. –
Cyclone
CommentedApr 16, 2014 at 4:09
Yeah, it confuses me too... the documentation doesn't talk about it and the source code even has a long comment explaining how they're trying to be all things for everyone...very annoying. –
docwhat
CommentedApr 18, 2014 at 6:17