Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to force passwd to accept easy passwords ?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
devnull0000
n00b
n00b


Joined: 16 Aug 2020
Posts: 4

PostPosted: Sun Aug 16, 2020 4:51 pm    Post subject: How to force passwd to accept easy passwords ? Reply with quote

I hate security... after latest emerge --sync & world update something became broken for me and my almost trivial passwords don't work

(from root)
passwd <my_user>

doesn't want to accept something easy like 0000 and teaches me security.

Do you know how to fix this ?
I tried to build shadow with cracklib disabled but no luck so far, editng of /etc/pam.d/system-auth also has no any effect.

I want to control my machine, not allow machine to control me... that's why I use linux & gentoo
In the end I may end up debugging the passwd utility but it may take too long and I hope there is a way.


Last edited by devnull0000 on Sun Aug 16, 2020 5:02 pm; edited 1 time in total
Back to top
View user's profile Send private message
devnull0000
n00b
n00b


Joined: 16 Aug 2020
Posts: 4

PostPosted: Sun Aug 16, 2020 5:01 pm    Post subject: Reply with quote

nevermind, I found it

comment out with # the line from /etc/pam.d/system-auth
password required pam_passwdqc.so min=8,8,8,8,8 retry=3

and making next one
to be
password required pam_unix.so nullok sha512 shadow

instead of
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow

made me happy.
Back to top
View user's profile Send private message
proteusx
Guru
Guru


Joined: 21 Jan 2008
Posts: 338

PostPosted: Mon Aug 17, 2020 1:23 pm    Post subject: Reply with quote

I hate security too and here is my solution to cripple pam and make it let me in without asking for a password.
I have added as the top line:
Code:
 auth    sufficient      pam_permit.so
to /etc/pam.d/login as well every module that nags me for a password (e.g. su,sshd, system-login, etc.)
Back to top
View user's profile Send private message
Banana
Veteran
Veteran


Joined: 21 May 2004
Posts: 1357
Location: Germany

PostPosted: Mon Aug 17, 2020 6:09 pm    Post subject: Reply with quote

I hope you know what you are doing and to everybody else: Don't
_________________
My personal space
My delta-labs.org snippets do expire

PFL - Portage file list - find which package a file or command belongs to.
Back to top
View user's profile Send private message
proteusx
Guru
Guru


Joined: 21 Jan 2008
Posts: 338

PostPosted: Mon Aug 17, 2020 7:39 pm    Post subject: Reply with quote

Banana wrote:
...and to everybody else: Don't

Indeed, do not, or nasty Corona will get into your computer and might get you too; and we do not want that. Do we, children?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21489

PostPosted: Mon Aug 17, 2020 8:16 pm    Post subject: Re: How to force passwd to accept easy passwords ? Reply with quote

devnull0000 wrote:
I hate security... after latest emerge --sync & world update something became broken for me and my almost trivial passwords don't work
My first guess would be that you had previously overridden basic system security policy and your recent update included a configuration file change that, once merged, reverted you to recommended defaults. My second guess would be that a recent update improved the defaults.

proteusx: there is no need to get sarcastic here. Banana was trying to be helpful, by informing future readers that the change described here is not one to be applied without a proper understanding of the consequences. Those consequences may not be obvious since they apply only when a password change would otherwise be rejected for poor quality, and the result is an acceptance where the recommended default would be a denial.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Mon Aug 17, 2020 8:32 pm    Post subject: Reply with quote

You should use strong randomly generated passwords. To log in via ssh without a password, see https://wiki.gentoo.org/wiki/SSH#Connecting_to_a_distant_SSH_server
It's not really passwordless, your computer remembers the password for you and automatically sends it.
For passwordless X login, search this forum. There were some recent posts. Maybe some kind person will post links.

Don't use 000 or abc, Linux can be destroyed by attackers. I understand your disdain for the security fetish, but take reasonable precautions against someone else. I've memorized my X password (not random but a long nonsense phrase) and use random 12 digit hex numbers for ssh passwords, which I don't memorize because I've followed the above wiki link. I login to X only from the LAN, YMMV. Many people disable all remote X login, but I'm the only user on the LAN now. Yes, I still use suid for X, but NOT with a password like 000
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3997
Location: Bavaria

PostPosted: Mon Aug 17, 2020 8:50 pm    Post subject: Reply with quote

I understand requests for a simple (user) password. I am paronoid for security ... AND ... my user password is short and poor; only my pw for root is strong. Why ?

I have no fear of an offline attack (no cleaning personal), so only an online attack could break my system. An (successful) attacker dont need my user pw because he gained already (at minimum) my user rights. He can damage my system only with the root account and therefore you need a strong pw for root (and a hardened kernel).
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Mon Aug 17, 2020 10:03 pm    Post subject: Reply with quote

pietinger,

Those are good points. In my case, I'm set up to sudo without a password so my user password is as important as my root password.

EDIT:
I was used to UNIX in a corporate environment before Windows even existed, so I'm mindful of these things. Got to admit that on Windows at first I logged on without a password and with administrative rights. Today I don't do that because my browser remembers passwords for banks and credit cards. It's not just computer security at risk.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Mon Aug 17, 2020 10:36 pm    Post subject: Reply with quote

USE="-pam" and then you can set your password any way you like without it getting in the way. Don't run sshd with password access in either case.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3997
Location: Bavaria

PostPosted: Tue Aug 18, 2020 10:44 am    Post subject: Reply with quote

Tony0945 wrote:
[...] In my case, I'm set up to sudo without a password so my user password is as important as my root password.

Tony,

this is a true reason ... and the reason why I dont like sudo and never use it; I do jobs as root only with "su -"

In my eyes, sudo is one of the greatest security risks because of the immediate root access through a simple user account (think what happens after a successful break into your system after browsing a bad website with your user account ...)
Back to top
View user's profile Send private message
proteusx
Guru
Guru


Joined: 21 Jan 2008
Posts: 338

PostPosted: Tue Aug 18, 2020 1:33 pm    Post subject: Reply with quote

Imagine a world where personal systems have no security whatsoever (e.g. no password login) and security is an option for those use their computer for bank transactions and those who want to prevent their wives to read their mistress' emails.
Also, no compulsory cryptography, no Spectre/Meltdown mitigations, no PIEs and no SSP canaries.
Security should be an opt-in, like systemd. A meta package perhaps.
You may say I am a dreamer, am I the only one?
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3997
Location: Bavaria

PostPosted: Tue Aug 18, 2020 2:47 pm    Post subject: Reply with quote

proteusx wrote:
Imagine a world where personal systems have no security [...]

Imagine a world where every house has an open front door ...
Back to top
View user's profile Send private message
proteusx
Guru
Guru


Joined: 21 Jan 2008
Posts: 338

PostPosted: Tue Aug 18, 2020 2:56 pm    Post subject: Reply with quote

pietinger wrote:
proteusx wrote:
Imagine a world where personal systems have no security [...]

Imagine a world where every house has an open front door ...

Unlike today's houses with 100 padlocks on the front door but wide open back door.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3997
Location: Bavaria

PostPosted: Tue Aug 18, 2020 3:03 pm    Post subject: Reply with quote

proteusx wrote:
[...] but wide open back door.

Yes, you are right.

But only our secret agencies using computer back doors, and in these agencies we have only characterful people with good intentions ...
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1591

PostPosted: Thu Oct 29, 2020 8:26 pm    Post subject: Reply with quote

devnull0000 wrote:
nevermind, I found it

comment out with # the line from /etc/pam.d/system-auth
password required pam_passwdqc.so min=8,8,8,8,8 retry=3

and making next one
to be
password required pam_unix.so nullok sha512 shadow

instead of
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow

made me happy.


thanks devnull0000,

your solution just saved me!

Thanks again
Ma
_________________
------------------------------------------------------------------
http://radio.garden/
Back to top
View user's profile Send private message
devnull0000
n00b
n00b


Joined: 16 Aug 2020
Posts: 4

PostPosted: Wed Dec 09, 2020 9:47 am    Post subject: Reply with quote

I'm glad I'm helped!

Update: In fresh gentoo, assuming you didn't do anything yet and dislike the long password:

- there is /etc/security/passwdqc.conf file
- you can change "enforce" option from "everyone" to "none"

then weak passwords will work, the system merely will warn about them.
Back to top
View user's profile Send private message
Carlos227
n00b
n00b


Joined: 31 Jul 2020
Posts: 25

PostPosted: Tue Dec 29, 2020 12:56 am    Post subject: Reply with quote

devnull0000 wrote:
I'm glad I'm helped!
- there is /etc/security/passwdqc.conf file
- you can change "enforce" option from "everyone" to "none"
.


Thanks, it has helped me a lot, I do not know what is the desire to force me to put a strong password, it should only show a warning as when changing the configuration to none.
In my case I just wanted to create a new account to try another user configuration and makes me waste my time, it is assumed that if I have at least gentoo running I understand the risk.
(by google translate)
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Tue Dec 29, 2020 3:30 am    Post subject: Reply with quote

proteusx wrote:
Imagine a world where personal systems have no security whatsoever (e.g. no password login) and security is an option for those use their computer for bank transactions and those who want to prevent their wives to read their mistress' emails.
Also, no compulsory cryptography, no Spectre/Meltdown mitigations, no PIEs and no SSP canaries.
Security should be an opt-in, like systemd. A meta package perhaps.
You may say I am a dreamer, am I the only one?

I, too, remember the utter horror show an internet-connected Windows 98 PC was.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21489

PostPosted: Tue Dec 29, 2020 5:36 pm    Post subject: Reply with quote

Some types of security absolutely should not be opt-in, because the people who need that security do not know, or care to know, enough about computers to realize that they should opt in. That is not to say the security should be mandatory. Allowing an opt-out is fine in some cases, and some of those may currently make opting out more difficult than it needs to be. Enabling such features by default, with the ability to disable them for people who know their use case does not need to be secured, is a safer default overall.
Back to top
View user's profile Send private message
Blind_Sniper
Guru
Guru


Joined: 20 Apr 2018
Posts: 336

PostPosted: Tue Dec 29, 2020 9:18 pm    Post subject: Reply with quote

I have a very short password: 1 digit.
And never edited any passwd.conf or whatever else.
When passwd warns me about simple password, I just ignoring that warning and typing confirmation.
Thats all.
_________________
GNU is Not Usable
Back to top
View user's profile Send private message
urcindalo
l33t
l33t


Joined: 08 Feb 2005
Posts: 623
Location: Almeria, Spain

PostPosted: Fri Jan 15, 2021 6:04 pm    Post subject: Reply with quote

devnull0000 wrote:
I'm glad I'm helped!

Update: In fresh gentoo, assuming you didn't do anything yet and dislike the long password:

- there is /etc/security/passwdqc.conf file
- you can change "enforce" option from "everyone" to "none"

then weak passwords will work, the system merely will warn about them.


You just made my day!
Thank you very much!
Back to top
View user's profile Send private message
dbishop
Tux's lil' helper
Tux's lil' helper


Joined: 08 Dec 2007
Posts: 107

PostPosted: Sat Jan 23, 2021 9:42 pm    Post subject: Reply with quote

An easier way to do this is to edit

/etc/security/passwdqc.conf

Code:
min=8,8,8,8,8
max=40
passphrase=0
match=4
similar=permit
random=24
enforce=none
retry=3


change enforce=everyone to either =users or =none
Back to top
View user's profile Send private message
ShorTie
Tux's lil' helper
Tux's lil' helper


Joined: 12 Feb 2006
Posts: 101

PostPosted: Sun Jan 24, 2021 6:14 pm    Post subject: Reply with quote

Ya, the PAM wiki is quite old and out of date on this.
Even states the page before it's like 10 years old, lol.
But heck, you can't even open a discussion about it for changes.
How nice, lol.

And does not mention a thing about using /etc/security/passwdqc.conf.
Guess you gotta read the news or sumfin

Code:
2020-06-23-upgrade-to-sys-libs_pam-1_4_0
  Title                     sys-libs/pam-1.4.0 upgrade
  Author                    Mikle Kolyada <zlogene@gentoo.org>
  Posted                    2020-06-23
  Revision                  1

Starting with the 1.4.0 release [1], we don't offer these modules anymore:

* pam_tally and pam_tally2 have been deprecated and replaced
  by the pam_faillock module
* pam_cracklib has been deprecated and replaced
  by the pam_passwdqc module

These changes affected our basic PAM stack configuration.


Digging thru the other OS's and the manual, I came up with.

Code:
min=disabled,2,2,2,2
max=40
passphrase=0
match=0
similar=permit
random=0
enforce=none
retry=3


Still get warning of,
Weak password: not enough different characters or classes.
But doesn't seem so pickey and allows more.

Ya, even in this day and age, forcing this stuff down your Throat seems Totalitarian to me.
Should be up to the person how carefully his/her picks thier pssswords.
They are the one that is gonna "Pay the Price" in the long run.
Back to top
View user's profile Send private message
cameta
Veteran
Veteran


Joined: 04 Aug 2004
Posts: 1320

PostPosted: Fri Feb 26, 2021 10:41 pm    Post subject: Reply with quote

Quote:
enforce=none

This works. After I have modified the password I have changed to enforce=everyone.
The security policies are in Gentoo for some reason. :wink:
_________________
Si algo falla LEE el jodido manual, Si sigue fallando LEE BIEN el jodido manual.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum