View previous topic :: View next topic |
Author |
Message |
devnull0000 n00b
Joined: 16 Aug 2020 Posts: 4
|
Posted: Sun Aug 16, 2020 4:51 pm Post subject: How to force passwd to accept easy passwords ? |
|
|
I hate security... after latest emerge --sync & world update something became broken for me and my almost trivial passwords don't work
(from root)
passwd <my_user>
doesn't want to accept something easy like 0000 and teaches me security.
Do you know how to fix this ?
I tried to build shadow with cracklib disabled but no luck so far, editng of /etc/pam.d/system-auth also has no any effect.
I want to control my machine, not allow machine to control me... that's why I use linux & gentoo
In the end I may end up debugging the passwd utility but it may take too long and I hope there is a way.
Last edited by devnull0000 on Sun Aug 16, 2020 5:02 pm; edited 1 time in total |
|
Back to top |
|
|
devnull0000 n00b
Joined: 16 Aug 2020 Posts: 4
|
Posted: Sun Aug 16, 2020 5:01 pm Post subject: |
|
|
nevermind, I found it
comment out with # the line from /etc/pam.d/system-auth
password required pam_passwdqc.so min=8,8,8,8,8 retry=3
and making next one
to be
password required pam_unix.so nullok sha512 shadow
instead of
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
made me happy. |
|
Back to top |
|
|
proteusx Guru
Joined: 21 Jan 2008 Posts: 338
|
Posted: Mon Aug 17, 2020 1:23 pm Post subject: |
|
|
I hate security too and here is my solution to cripple pam and make it let me in without asking for a password.
I have added as the top line: Code: | auth sufficient pam_permit.so | to /etc/pam.d/login as well every module that nags me for a password (e.g. su,sshd, system-login, etc.) |
|
Back to top |
|
|
Banana Veteran
Joined: 21 May 2004 Posts: 1357 Location: Germany
|
|
Back to top |
|
|
proteusx Guru
Joined: 21 Jan 2008 Posts: 338
|
Posted: Mon Aug 17, 2020 7:39 pm Post subject: |
|
|
Banana wrote: | ...and to everybody else: Don't |
Indeed, do not, or nasty Corona will get into your computer and might get you too; and we do not want that. Do we, children? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21489
|
Posted: Mon Aug 17, 2020 8:16 pm Post subject: Re: How to force passwd to accept easy passwords ? |
|
|
devnull0000 wrote: | I hate security... after latest emerge --sync & world update something became broken for me and my almost trivial passwords don't work
| My first guess would be that you had previously overridden basic system security policy and your recent update included a configuration file change that, once merged, reverted you to recommended defaults. My second guess would be that a recent update improved the defaults.
proteusx: there is no need to get sarcastic here. Banana was trying to be helpful, by informing future readers that the change described here is not one to be applied without a proper understanding of the consequences. Those consequences may not be obvious since they apply only when a password change would otherwise be rejected for poor quality, and the result is an acceptance where the recommended default would be a denial. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Mon Aug 17, 2020 8:32 pm Post subject: |
|
|
You should use strong randomly generated passwords. To log in via ssh without a password, see https://wiki.gentoo.org/wiki/SSH#Connecting_to_a_distant_SSH_server
It's not really passwordless, your computer remembers the password for you and automatically sends it.
For passwordless X login, search this forum. There were some recent posts. Maybe some kind person will post links.
Don't use 000 or abc, Linux can be destroyed by attackers. I understand your disdain for the security fetish, but take reasonable precautions against someone else. I've memorized my X password (not random but a long nonsense phrase) and use random 12 digit hex numbers for ssh passwords, which I don't memorize because I've followed the above wiki link. I login to X only from the LAN, YMMV. Many people disable all remote X login, but I'm the only user on the LAN now. Yes, I still use suid for X, but NOT with a password like 000 |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 3997 Location: Bavaria
|
Posted: Mon Aug 17, 2020 8:50 pm Post subject: |
|
|
I understand requests for a simple (user) password. I am paronoid for security ... AND ... my user password is short and poor; only my pw for root is strong. Why ?
I have no fear of an offline attack (no cleaning personal), so only an online attack could break my system. An (successful) attacker dont need my user pw because he gained already (at minimum) my user rights. He can damage my system only with the root account and therefore you need a strong pw for root (and a hardened kernel). |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Mon Aug 17, 2020 10:03 pm Post subject: |
|
|
pietinger,
Those are good points. In my case, I'm set up to sudo without a password so my user password is as important as my root password.
EDIT:
I was used to UNIX in a corporate environment before Windows even existed, so I'm mindful of these things. Got to admit that on Windows at first I logged on without a password and with administrative rights. Today I don't do that because my browser remembers passwords for banks and credit cards. It's not just computer security at risk. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Mon Aug 17, 2020 10:36 pm Post subject: |
|
|
USE="-pam" and then you can set your password any way you like without it getting in the way. Don't run sshd with password access in either case. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 3997 Location: Bavaria
|
Posted: Tue Aug 18, 2020 10:44 am Post subject: |
|
|
Tony0945 wrote: | [...] In my case, I'm set up to sudo without a password so my user password is as important as my root password. |
Tony,
this is a true reason ... and the reason why I dont like sudo and never use it; I do jobs as root only with "su -"
In my eyes, sudo is one of the greatest security risks because of the immediate root access through a simple user account (think what happens after a successful break into your system after browsing a bad website with your user account ...) |
|
Back to top |
|
|
proteusx Guru
Joined: 21 Jan 2008 Posts: 338
|
Posted: Tue Aug 18, 2020 1:33 pm Post subject: |
|
|
Imagine a world where personal systems have no security whatsoever (e.g. no password login) and security is an option for those use their computer for bank transactions and those who want to prevent their wives to read their mistress' emails.
Also, no compulsory cryptography, no Spectre/Meltdown mitigations, no PIEs and no SSP canaries.
Security should be an opt-in, like systemd. A meta package perhaps.
You may say I am a dreamer, am I the only one? |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 3997 Location: Bavaria
|
Posted: Tue Aug 18, 2020 2:47 pm Post subject: |
|
|
proteusx wrote: | Imagine a world where personal systems have no security [...] |
Imagine a world where every house has an open front door ... |
|
Back to top |
|
|
proteusx Guru
Joined: 21 Jan 2008 Posts: 338
|
Posted: Tue Aug 18, 2020 2:56 pm Post subject: |
|
|
pietinger wrote: | proteusx wrote: | Imagine a world where personal systems have no security [...] |
Imagine a world where every house has an open front door ... |
Unlike today's houses with 100 padlocks on the front door but wide open back door. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 3997 Location: Bavaria
|
Posted: Tue Aug 18, 2020 3:03 pm Post subject: |
|
|
proteusx wrote: | [...] but wide open back door. |
Yes, you are right.
But only our secret agencies using computer back doors, and in these agencies we have only characterful people with good intentions ... |
|
Back to top |
|
|
Marlo Veteran
Joined: 26 Jul 2003 Posts: 1591
|
Posted: Thu Oct 29, 2020 8:26 pm Post subject: |
|
|
devnull0000 wrote: | nevermind, I found it
comment out with # the line from /etc/pam.d/system-auth
password required pam_passwdqc.so min=8,8,8,8,8 retry=3
and making next one
to be
password required pam_unix.so nullok sha512 shadow
instead of
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
made me happy. |
thanks devnull0000,
your solution just saved me!
Thanks again
Ma _________________ ------------------------------------------------------------------
http://radio.garden/ |
|
Back to top |
|
|
devnull0000 n00b
Joined: 16 Aug 2020 Posts: 4
|
Posted: Wed Dec 09, 2020 9:47 am Post subject: |
|
|
I'm glad I'm helped!
Update: In fresh gentoo, assuming you didn't do anything yet and dislike the long password:
- there is /etc/security/passwdqc.conf file
- you can change "enforce" option from "everyone" to "none"
then weak passwords will work, the system merely will warn about them. |
|
Back to top |
|
|
Carlos227 n00b
Joined: 31 Jul 2020 Posts: 25
|
Posted: Tue Dec 29, 2020 12:56 am Post subject: |
|
|
devnull0000 wrote: | I'm glad I'm helped!
- there is /etc/security/passwdqc.conf file
- you can change "enforce" option from "everyone" to "none"
. |
Thanks, it has helped me a lot, I do not know what is the desire to force me to put a strong password, it should only show a warning as when changing the configuration to none.
In my case I just wanted to create a new account to try another user configuration and makes me waste my time, it is assumed that if I have at least gentoo running I understand the risk.
(by google translate) |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Dec 29, 2020 3:30 am Post subject: |
|
|
proteusx wrote: | Imagine a world where personal systems have no security whatsoever (e.g. no password login) and security is an option for those use their computer for bank transactions and those who want to prevent their wives to read their mistress' emails.
Also, no compulsory cryptography, no Spectre/Meltdown mitigations, no PIEs and no SSP canaries.
Security should be an opt-in, like systemd. A meta package perhaps.
You may say I am a dreamer, am I the only one? |
I, too, remember the utter horror show an internet-connected Windows 98 PC was. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21489
|
Posted: Tue Dec 29, 2020 5:36 pm Post subject: |
|
|
Some types of security absolutely should not be opt-in, because the people who need that security do not know, or care to know, enough about computers to realize that they should opt in. That is not to say the security should be mandatory. Allowing an opt-out is fine in some cases, and some of those may currently make opting out more difficult than it needs to be. Enabling such features by default, with the ability to disable them for people who know their use case does not need to be secured, is a safer default overall. |
|
Back to top |
|
|
Blind_Sniper Guru
Joined: 20 Apr 2018 Posts: 336
|
Posted: Tue Dec 29, 2020 9:18 pm Post subject: |
|
|
I have a very short password: 1 digit.
And never edited any passwd.conf or whatever else.
When passwd warns me about simple password, I just ignoring that warning and typing confirmation.
Thats all. _________________ GNU is Not Usable |
|
Back to top |
|
|
urcindalo l33t
Joined: 08 Feb 2005 Posts: 623 Location: Almeria, Spain
|
Posted: Fri Jan 15, 2021 6:04 pm Post subject: |
|
|
devnull0000 wrote: | I'm glad I'm helped!
Update: In fresh gentoo, assuming you didn't do anything yet and dislike the long password:
- there is /etc/security/passwdqc.conf file
- you can change "enforce" option from "everyone" to "none"
then weak passwords will work, the system merely will warn about them. |
You just made my day!
Thank you very much! |
|
Back to top |
|
|
dbishop Tux's lil' helper
Joined: 08 Dec 2007 Posts: 107
|
Posted: Sat Jan 23, 2021 9:42 pm Post subject: |
|
|
An easier way to do this is to edit
/etc/security/passwdqc.conf
Code: | min=8,8,8,8,8
max=40
passphrase=0
match=4
similar=permit
random=24
enforce=none
retry=3
|
change enforce=everyone to either =users or =none |
|
Back to top |
|
|
ShorTie Tux's lil' helper
Joined: 12 Feb 2006 Posts: 101
|
Posted: Sun Jan 24, 2021 6:14 pm Post subject: |
|
|
Ya, the PAM wiki is quite old and out of date on this.
Even states the page before it's like 10 years old, lol.
But heck, you can't even open a discussion about it for changes.
How nice, lol.
And does not mention a thing about using /etc/security/passwdqc.conf.
Guess you gotta read the news or sumfin
Code: | 2020-06-23-upgrade-to-sys-libs_pam-1_4_0
Title sys-libs/pam-1.4.0 upgrade
Author Mikle Kolyada <zlogene@gentoo.org>
Posted 2020-06-23
Revision 1
Starting with the 1.4.0 release [1], we don't offer these modules anymore:
* pam_tally and pam_tally2 have been deprecated and replaced
by the pam_faillock module
* pam_cracklib has been deprecated and replaced
by the pam_passwdqc module
These changes affected our basic PAM stack configuration. |
Digging thru the other OS's and the manual, I came up with.
Code: | min=disabled,2,2,2,2
max=40
passphrase=0
match=0
similar=permit
random=0
enforce=none
retry=3 |
Still get warning of,
Weak password: not enough different characters or classes.
But doesn't seem so pickey and allows more.
Ya, even in this day and age, forcing this stuff down your Throat seems Totalitarian to me.
Should be up to the person how carefully his/her picks thier pssswords.
They are the one that is gonna "Pay the Price" in the long run. |
|
Back to top |
|
|
cameta Veteran
Joined: 04 Aug 2004 Posts: 1320
|
Posted: Fri Feb 26, 2021 10:41 pm Post subject: |
|
|
This works. After I have modified the password I have changed to enforce=everyone.
The security policies are in Gentoo for some reason. _________________ Si algo falla LEE el jodido manual, Si sigue fallando LEE BIEN el jodido manual. |
|
Back to top |
|
|
|