How to force passwd to accept easy passwords ?

Message

devnull0000 · Post by **devnull0000** » Sun Aug 16, 2020 4:51 pm

I hate security... after latest emerge --sync & world update something became broken for me and my almost trivial passwords don't work

(from root)
passwd <my_user>

doesn't want to accept something easy like 0000 and teaches me security.

Do you know how to fix this ?
I tried to build shadow with cracklib disabled but no luck so far, editng of /etc/pam.d/system-auth also has no any effect.

I want to control my machine, not allow machine to control me... that's why I use linux & gentoo
In the end I may end up debugging the passwd utility but it may take too long and I hope there is a way.

devnull0000 · Post by **devnull0000** » Sun Aug 16, 2020 5:01 pm

nevermind, I found it

comment out with # the line from /etc/pam.d/system-auth
password required pam_passwdqc.so min=8,8,8,8,8 retry=3

and making next one
to be
password required pam_unix.so nullok sha512 shadow

instead of
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow

made me happy.

proteusx · Post by **proteusx** » Mon Aug 17, 2020 1:23 pm

I hate security too and here is my solution to cripple pam and make it let me in without asking for a password.
I have added as the top line:

Code: Select all

 auth    sufficient      pam_permit.so

to /etc/pam.d/login as well every module that nags me for a password (e.g. su,sshd, system-login, etc.)

Post by **Banana** » Mon Aug 17, 2020 6:09 pm

I hope you know what you are doing and to everybody else: Don't

proteusx · Post by **proteusx** » Mon Aug 17, 2020 7:39 pm

Banana wrote:...and to everybody else: Don't

Indeed, do not, or nasty Corona will get into your computer and might get you too; and we do not want that. Do we, children?

Post by Hu » Mon Aug 17, 2020 8:16 pm

devnull0000 wrote:I hate security... after latest emerge --sync & world update something became broken for me and my almost trivial passwords don't work

My first guess would be that you had previously overridden basic system security policy and your recent update included a configuration file change that, once merged, reverted you to recommended defaults. My second guess would be that a recent update improved the defaults.

proteusx: there is no need to get sarcastic here. Banana was trying to be helpful, by informing future readers that the change described here is not one to be applied without a proper understanding of the consequences. Those consequences may not be obvious since they apply only when a password change would otherwise be rejected for poor quality, and the result is an acceptance where the recommended default would be a denial.

Tony0945 · Post by **Tony0945** » Mon Aug 17, 2020 8:32 pm

You should use strong randomly generated passwords. To log in via ssh without a password, see https://wiki.gentoo.org/wiki/SSH#Connecting_to_a_distant_SSH_server
It's not really passwordless, your computer remembers the password for you and automatically sends it.
For passwordless X login, search this forum. There were some recent posts. Maybe some kind person will post links.

Don't use 000 or abc, Linux can be destroyed by attackers. I understand your disdain for the security fetish, but take reasonable precautions against someone else. I've memorized my X password (not random but a long nonsense phrase) and use random 12 digit hex numbers for ssh passwords, which I don't memorize because I've followed the above wiki link. I login to X only from the LAN, YMMV. Many people disable all remote X login, but I'm the only user on the LAN now. Yes, I still use suid for X, but NOT with a password like 000

Post by **pietinger** » Mon Aug 17, 2020 8:50 pm

I understand requests for a simple (user) password. I am paronoid for security ... AND ... my user password is short and poor; only my pw for root is strong. Why ?

I have no fear of an offline attack (no cleaning personal), so only an online attack could break my system. An (successful) attacker dont need my user pw because he gained already (at minimum) my user rights. He can damage my system only with the root account and therefore you need a strong pw for root (and a hardened kernel).

Tony0945 · Post by **Tony0945** » Mon Aug 17, 2020 10:03 pm

pietinger,

Those are good points. In my case, I'm set up to sudo without a password so my user password is as important as my root password.

EDIT:
I was used to UNIX in a corporate environment before Windows even existed, so I'm mindful of these things. Got to admit that on Windows at first I logged on without a password and with administrative rights. Today I don't do that because my browser remembers passwords for banks and credit cards. It's not just computer security at risk.

Ant P. · Post by **Ant P.** » Mon Aug 17, 2020 10:36 pm

USE="-pam" and then you can set your password any way you like without it getting in the way. Don't run sshd with password access in either case.

Post by **pietinger** » Tue Aug 18, 2020 10:44 am

Tony0945 wrote:[...] In my case, I'm set up to sudo without a password so my user password is as important as my root password.

Tony,

this is a true reason ... and the reason why I dont like sudo and never use it; I do jobs as root only with "su -"

In my eyes, sudo is one of the greatest security risks because of the immediate root access through a simple user account (think what happens after a successful break into your system after browsing a bad website with your user account ...)

proteusx · Post by **proteusx** » Tue Aug 18, 2020 1:33 pm

Imagine a world where personal systems have no security whatsoever (e.g. no password login) and security is an option for those use their computer for bank transactions and those who want to prevent their wives to read their mistress' emails.
Also, no compulsory cryptography, no Spectre/Meltdown mitigations, no PIEs and no SSP canaries.
Security should be an opt-in, like systemd. A meta package perhaps.
You may say I am a dreamer, am I the only one?

Post by **pietinger** » Tue Aug 18, 2020 2:47 pm

proteusx wrote:Imagine a world where personal systems have no security [...]

Imagine a world where every house has an open front door ...

proteusx · Post by **proteusx** » Tue Aug 18, 2020 2:56 pm

pietinger wrote:
proteusx wrote:Imagine a world where personal systems have no security [...]
Imagine a world where every house has an open front door ...

Unlike today's houses with 100 padlocks on the front door but wide open back door.

Post by **pietinger** » Tue Aug 18, 2020 3:03 pm

proteusx wrote:[...] but wide open back door.

Yes, you are right.

But only our secret agencies using computer back doors, and in these agencies we have only characterful people with good intentions ...

Marlo · Post by **Marlo** » Thu Oct 29, 2020 8:26 pm

devnull0000 wrote:nevermind, I found it

comment out with # the line from /etc/pam.d/system-auth
password required pam_passwdqc.so min=8,8,8,8,8 retry=3

and making next one
to be
password required pam_unix.so nullok sha512 shadow

instead of
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow

made me happy.

thanks devnull0000,

your solution just saved me!

Thanks again
Ma

devnull0000 · Post by **devnull0000** » Wed Dec 09, 2020 9:47 am

I'm glad I'm helped!

Update: In fresh gentoo, assuming you didn't do anything yet and dislike the long password:

- there is /etc/security/passwdqc.conf file
- you can change "enforce" option from "everyone" to "none"

then weak passwords will work, the system merely will warn about them.

Carlos227 · Post by **Carlos227** » Tue Dec 29, 2020 12:56 am

devnull0000 wrote:I'm glad I'm helped!
- there is /etc/security/passwdqc.conf file
- you can change "enforce" option from "everyone" to "none"
.

Thanks, it has helped me a lot, I do not know what is the desire to force me to put a strong password, it should only show a warning as when changing the configuration to none.
In my case I just wanted to create a new account to try another user configuration and makes me waste my time, it is assumed that if I have at least gentoo running I understand the risk.
(by google translate)

Ant P. · Post by **Ant P.** » Tue Dec 29, 2020 3:30 am

proteusx wrote:Imagine a world where personal systems have no security whatsoever (e.g. no password login) and security is an option for those use their computer for bank transactions and those who want to prevent their wives to read their mistress' emails.
Also, no compulsory cryptography, no Spectre/Meltdown mitigations, no PIEs and no SSP canaries.
Security should be an opt-in, like systemd. A meta package perhaps.
You may say I am a dreamer, am I the only one?

I, too, remember the utter horror show an internet-connected Windows 98 PC was.

Post by Hu » Tue Dec 29, 2020 5:36 pm

Some types of security absolutely should not be opt-in, because the people who need that security do not know, or care to know, enough about computers to realize that they should opt in. That is not to say the security should be mandatory. Allowing an opt-out is fine in some cases, and some of those may currently make opting out more difficult than it needs to be. Enabling such features by default, with the ability to disable them for people who know their use case does not need to be secured, is a safer default overall.

Blind_Sniper · Post by **Blind_Sniper** » Tue Dec 29, 2020 9:18 pm

I have a very short password: 1 digit.
And never edited any passwd.conf or whatever else.
When passwd warns me about simple password, I just ignoring that warning and typing confirmation.
Thats all.

urcindalo · Post by **urcindalo** » Fri Jan 15, 2021 6:04 pm

devnull0000 wrote:I'm glad I'm helped!

Update: In fresh gentoo, assuming you didn't do anything yet and dislike the long password:

- there is /etc/security/passwdqc.conf file
- you can change "enforce" option from "everyone" to "none"

then weak passwords will work, the system merely will warn about them.

You just made my day!
Thank you very much!

dbishop · Post by **dbishop** » Sat Jan 23, 2021 9:42 pm

An easier way to do this is to edit

/etc/security/passwdqc.conf

Code: Select all

min=8,8,8,8,8
max=40
passphrase=0
match=4
similar=permit
random=24
enforce=none
retry=3

change enforce=everyone to either =users or =none

ShorTie · Post by **ShorTie** » Sun Jan 24, 2021 6:14 pm

Ya, the PAM wiki is quite old and out of date on this.
Even states the page before it's like 10 years old, lol.
But heck, you can't even open a discussion about it for changes.
How nice, lol.

And does not mention a thing about using /etc/security/passwdqc.conf.
Guess you gotta read the news or sumfin

Code: Select all

2020-06-23-upgrade-to-sys-libs_pam-1_4_0
  Title                     sys-libs/pam-1.4.0 upgrade
  Author                    Mikle Kolyada <zlogene@gentoo.org>
  Posted                    2020-06-23
  Revision                  1

Starting with the 1.4.0 release [1], we don't offer these modules anymore:

* pam_tally and pam_tally2 have been deprecated and replaced
  by the pam_faillock module
* pam_cracklib has been deprecated and replaced
  by the pam_passwdqc module

These changes affected our basic PAM stack configuration.

Digging thru the other OS's and the manual, I came up with.

Code: Select all

min=disabled,2,2,2,2
max=40
passphrase=0
match=0
similar=permit
random=0
enforce=none
retry=3

Still get warning of,
Weak password: not enough different characters or classes.
But doesn't seem so pickey and allows more.

Ya, even in this day and age, forcing this stuff down your Throat seems Totalitarian to me.
Should be up to the person how carefully his/her picks thier pssswords.
They are the one that is gonna "Pay the Price" in the long run.

cameta · Post by **cameta** » Fri Feb 26, 2021 10:41 pm

enforce=none

This works. After I have modified the password I have changed to enforce=everyone.
The security policies are in Gentoo for some reason.

How to force passwd to accept easy passwords ?

How to force passwd to accept easy passwords ?

Re: How to force passwd to accept easy passwords ?