| View previous topic :: View next topic |
| Author |
Message |
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
 Posted: Wed Dec 22, 2021 7:31 pm Post subject: Trouble understanding passwdqc.conf |
 |
|
I usually don't mess with my PAM configuration and I'm pretty happy to assume the defaults of the distribution. My base system is pretty old (I mean I installed stage3 tarball way back in 2008, been updating my system ever since) so I've seen quite a lot of changes over the last decade. Because I live alone, my system has one user only, so I never really noticed that Gentoo now uses pam_passwdqc.so which behaves completely different from what I'm used to. And I'm struggling to make it work like I used to know.
I've found this post https://forums.gentoo.org/viewtopic-t-1117656-start-0.html and while I could swap pam_passwdqc.so line from /etc/pam.d/system-auth with password required pam_unix.so nullok sha512 shadow, I'd rather try to understand how to configure it that it behaves like I wanted it to behave and not the other way round (me having to behave like pam_passwdqc wants me to behave).
I wanted to create a test user ("atest") to test the awsome window manager (yes, I want to test it on a fresh new account before investing time in changing my current configuration) and so this account is going to exist only for a couple of days, and then I'm going to remove it. But now passwd is forcing me to set a super secure long password with different character classes. This is a test account that is going to exist for a couple of days, I don't mind here using a password like qwert. So I started reading the passwdqc.conf man page, but to be honest, I don't really understand the meaning of the min= value. The default is disabled,24,11,8,7 but the real meaning behind it eludes me. I also tried setting enforce=none but that didn't help either, passwd is still asking for a long secure password.
I also don't understand what the "match" option really does.
Like I said, I usually don't mess with my PAM configuration, so as far as I know/remember, I haven't changed the contents of /etc/pam.d/system-auth, I see a few double entries
| Code: |
auth required pam_env.so
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
account required pam_unix.so
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
|
why do I have several "password ... pam_unix.so" entries? Are these left overs from older versions of PAM that did not get removed when doing world updates? Is this configuration a current one? How can I change the min= option so that it accepts a password like qwert?
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21607
|
| Posted: Wed Dec 22, 2021 9:59 pm Post subject: |
|
|
min= tries to specify 5 different related parameters in one line, which makes it very compact, but easy to misunderstand. As I read the explanatory text below it, the tool reads your proposed password and assigns it a category, one of N0...N4, based on what it found in the password. If every character in your password is from the same character class (qwert would qualify as yes here), then use rule N0, which defaults to disabled. This means that you could make your password arbitrarily long (while using only characters from one class), and it's still not complex enough. Change disabled to 5 or below to make it accept qwert (since that is 5 characters long).
I don't see any double entries. The first column specifies the reason PAM is reading this file. Two lines that differ in the first column cannot be considered duplicates even if they match in all other fields. |
|
| Back to top |
|
|
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Thu Dec 23, 2021 1:01 am Post subject: |
|
|
| Hu wrote: | | min= tries to specify 5 different related parameters in one line, which makes it very compact, but easy to misunderstand. As I read the explanatory text below it, the tool reads your proposed password and assigns it a category, one of N0...N4, based on what it found in the password. If every character in your password is from the same character class (qwert would qualify as yes here), then use rule N0, which defaults to disabled. This means that you could make your password arbitrarily long (while using only characters from one class), and it's still not complex enough. Change disabled to 5 or below to make it accept qwert (since that is 5 characters long). |
aahhhh.... I thought the 24 was the first value N0, that's why didn't make sense.
So the first class are letters, numbers, and "and other characters" whatever that may mean (punctuation marks???).
The second class are non-ascii characters. What are the third and fourth classes?
| Hu wrote: |
I don't see any double entries. The first column specifies the reason PAM is reading this file. Two lines that differ in the first column cannot be considered duplicates even if they match in all other fields. |
I focused only at the second and third column, I didn't realize that the pam_unix.so has different types.
Do you know why the change of the enforce=none in passwdqc.conf did not work?
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21607
|
| Posted: Thu Dec 23, 2021 2:41 am Post subject: |
|
|
From the manual page: | man passwdqc.conf: | N0 is used for passwords consisting of characters from one char‐
acter class only. The character classes are: digits, lower-case
letters, upper-case letters, and other characters. There is also
a special class for non-ASCII characters, which could not be
classified, but are assumed to be non-digits.
N1 is used for passwords consisting of characters from two char‐
acter classes that do not meet the requirements for a passphrase.
N2 is used for passphrases. Note that besides meeting this
length requirement, a passphrase must also consist of a suffi‐
cient number of words (see the passphrase option below).
N3 and N4 are used for passwords consisting of characters from
three and four character classes, respectively. |
Without seeing the full configuration, no, I don't know why enforce=none produced results other than what you wanted. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
