Linux PAM's Cracklib module

??? How to limit password length in the Linux system at the same time to manage the complexity of the password, recently found that someone's password conforms to the length of the rules, but it is very simple and easy to guess, check the relevant data found in the PAM Pam_cracklib module is used to do the password complexity detection.

? ? ? ? A brief introduction to Pam,pam (pluggable authentication Modules) is a certification mechanism proposed by Sun. It separates the services provided by the system and the authentication of the service by providing some dynamic link libraries and a unified set of APIs, allowing system administrators the flexibility to configure different authentication methods for different services as needed without changing the service program, while also facilitating the addition of new authentication methods to the system. The PAM module is an embedded module that takes effect immediately after modification.

? ? ? ?? The important files for Pam are as follows:

?????./usr/lib/libpam.so.*???? # # Pam Core Library

?????????????. Pam configuration file (/etc/pam.conf)

/etc/pam.d/*???????????? # # PAM configuration files for each module

?????/lib/security/pam_*.so?? # # Dynamically loaded PAM module

? ? ? ? ? The format of each line of the PAM configuration file: Module-type? Control-flag? Module-path? Arguments?

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Module type???? Control character???? Module parameters

? ? ? ? ? module-type:

?????????. Auth: Determine two aspects of user authentication. First, he confirms that the user is themselves, which prompts the user to enter a password or other formal identity through the application. Second, this type of module will confer membership.

?????????? account: Handling non-certification level accounts management. A typical usage is to restrict and allow access to a service based on a different time of day. Limit the currently available system resources (maximum number of users) or restrict specific user-root to log in from the console only.

?????????????????? This includes logging in/out of the user, mounting the necessary directories, and so on.

?????????? Password: Set the password.

? ? ? ? ? ? Control-flag:

??????????. Required: Indicates that this module must return successfully to pass authentication, but if the module fails to return, the result will not be immediately. Notifies the user, but waits until all modules in the same stack have finished executing before returning the failed result to the application. Can think of as a must????? to the condition.

?????????? Requisite: Similar to required, the module must return to success in order to pass authentication, but once the module fails to return, it will no longer execute? Any module within the same stack, but returns control directly to the application. is a necessary condition. Note: Solaris is not supported.

??????????. Sufficient: Indicates that the module returned successfully enough to pass the authentication requirement, and no additional modules within the same stack need to be executed, but can be ignored if the module returns a failure. Can be considered as a sufficient condition.

??????????. Optional: This module is optional, its success generally does not play a key role in identity authentication, the return value is generally ignored.

What do you mean by that?????????? Contains a different configuration file.

? ? ? ? ?? ? Module-path:

? ? ? ? ? ? ? ? ? ? Debian's Pam Module storage directory is/lib/security by default. In the configuration file of each module, do not write absolute path, direct? Write this default directory under the module name is ready. Of course, you can also write absolute paths.

? ? ? ? ?? ? Arguments:

? ? ? ? ? ? ? ? ? The parameters of each module are different, specific to the developer of the Man manual. Invalid parameters have no effect on the results, but are logged by the log. First, see if/lib/security has this module, again: Man module name

? ? ? ? ? The following is the introduction of the Cracklib module

??????????. Pam_cracklib is a PAM module that checks if a password violates a password dictionary, and this verification module provides pluggable password strength detection for special applications by inserting the password stack. It works by first prompting the user to enter a password, and then using a system????? Dictionaries and a set of rules to detect if the password entered does not meet the robustness requirements. The strength detection of the password is divided two times, the first time is only detected secret?????? Code is a part of the provided comparison dictionary, if the test result is negative, then will provide some additional detection to further detect it?????? Strength, such as detecting the ratio of characters in the new password to the old password characters, the length of the password, the case status of the characters used, and whether or not to use the special?????? characters, and so on. (libpam-cracklib )

? ? ? ? ? Here are some of the parameters of the Cracklib module:

?????? Debug: Write debug information to Syslog

?????? Type=xxx: Prompt for the text content of the password. The default is "New Unix password:" and "Retype Unix password:", customizable

?????? Retry=n: Users can enter a password several times after the error. The default is 1 times.

?????? Difok=n: The new password has several characters that cannot be the same as the old one, which is 5 by default. In addition, if the new password is 1/2 characters old, it will be accepted as well.

?????? Diginore=n: Default when the new password has 23 characters, the DIFOK option is ignored.

?????? Minlen=n: Minimum password length.

?????? Dcredit=n: When N>=0, N represents the maximum number of Arabic numerals a new password can have. When N<0, n represents the minimum number of digits for the new password.

? ? ? ? ? ? Ucredit=n: It's similar to Dcredit, but it's about capital letters.

? ? ? ? ? ? Lcredit=n: It's similar to dcredit, but it says lowercase letters.

? ? ? ? ? ? Ocredit=n: It's similar to Dcredit, but it's about special characters.

? ? ? ? ? ? Use_authtok: Use this option after a password-related validation module, such as the pam_unix.so authentication module

? ? ? ? ? ?? Pam_cracklib the basic module of the modular Pam configuration interface, the configuration file in the Debian system is/etc/pam.d/common-password but the configuration file in the Redhat system is/etc/pam.d/system-auth His configuration looks like the following:

? ? ? ? ? ?? Password Required pam_cracklib.so retry=3 minlen=6 difok=3

? ? ? ? ? ? Password Required pam_unix.so MD5 Use_authtok

? ? ? ? ? ? The first line is the Pam_cracklib module and several module parameters of the Setup

? ? ? ? ? ? The second line is the Pam_unix module, MD5 means MD5 encryption

? ? ? ? ? ?? Pam_cracklib can record the historical password used by the user, and does not allow the user to reuse the old password, actually storing the user old password is through the Pam_unix module.

The first step is to create an empty file to store the old password/etc/security/opasswd, if you do not create a file but use the history password record function, all the password update will fail, because the Pam_unix module will error.

? ? ? ? ? OPASSWD is like a/etc/shadow file because he logs the hash of the user's password

? ? ? ? ? touch/etc/security/opasswd

? ? ? ? ? Chown root:root/etc/security/opasswd

? ? ? ? ? chmod 600/etc/security/opasswd

Once the OPASSWD file has been established, the Pam_unix module can be appended with the parameter remember=n to start recording the old password, the remember parameter records how many old passwords you want to record, his maximum value is 400, If you set the value more than 400 will be treated as 400来, for example:

? ? ? ? ? Password Required pam_cracklib.so retry=3 minlen=12 difok=4

? ? ? ? ? Password required pam_unix.so MD5 remember=12 Use_authtok

? ? ? ? ? The opasswd file content format is as follows:

? ? ? ? ? Hal:1000:<n>:

? ? ? ? ? In the ': ' section, the first column is the user name, the second column is the user ID, the third column is currently logged the user how many old password, Hashn is the MD5 value of each password, OPASSWD is automatically established when some systems install the PAM module.

????? password Dictionary Check

? ? ? ? ? ? ? ? Pam_cracklib can also check that the password set by the user is not a violation of the internal system password dictionary, pam_cracklib in the Debian system???? The password dictionary is in the/var/cache/cracklib directory, and every night the Update-cracklib script automatically rebuild the password dictionary.

??????./etc/login.defs file set the password expiration time and a series of parameters, Note that the parameters set in Login.defs only have the properties set in Login.defs when you create a new user with the system's Useradd program, and if you are creating a new user with another machine, you do not have the above properties, but you can manually add related properties by trying the chage command.

????? The Chage parameters are as follows:

The minimum number of days a password can be changed. At zero, the password can be changed at any time.

The maximum number of days that the password remains valid for the?????

?????-the number of days before the user's password expires, before the warning message is received.

?????-e account expiration date. This account will not be available after this day.

?????-d last Changed date

?????-I stasis period. If a password has expired these days, then this account will not be available.

The.????-l example shows the current setting. By non-privileged users to determine when their password or account expires.

Linux PAM's Cracklib module