Previous Next Contents

6.2 Cracklib pluggable password strength-checker

Synopsis

Module Name:

pam_cracklib

Author:

Cristian Gafton <gafton@sorosis.ro>

Maintainer:

Author.

Management groups provided:

password

Cryptographically sensitive:

Security rating:

Clean code base:

System dependencies:

Requires the system library libcrack and a system dictionary: /usr/lib/cracklib_dict.

Network aware:

Overview of module

This module can be plugged into the password stack of a given application to provide some plug-in strength-checking for passwords. (XXX - note this does not necessarily work with the pam_unix module, although it is known to work with the pam_pwdb replacement for the unix module -- see example and pam_pwdb write up for more information).

Password component

Recognized arguments:

debug; type=XXX; retry=N

Description:

The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.

The default action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.

The default action may be modified in a number of ways using the arguments recognized by the module:

Examples/suggested usage:

(At the time of writing, this module can only be stacked before the pam_pwdb module. Cracklib strength checking may be compiled by default into the pam_unix module.)

For an example of the use of this module, we show how it may be stacked with the password component of pam_pwdb:

#
# These lines stack two password type modules. In this example the user
# is given 3 opportunities to enter a strong password. The
# "use_authtok" argument ensures that the pam_pwdb module does not
# prompt for a password, but instead uses the one provided by
# pam_cracklib.
#
passwd  password required       pam_cracklib.so retry=3
passwd  password required       pam_pwdb.so use_authtok


Previous Next Contents