credit or minclass does not work well with pam_cracklib.so in common-password (opeSuSe 11.3)
- by Mario
I'm trying to implement password complexities on my pdc. It's a samba PDC with openLDAP backend. I tried cracklib-check but it looks like that I should have a decent and localize version of password library since the library out there usually comes in english. I also have another consideration that we will allow users to use any kind of password - even though it's dictionary based - as long as their passwords integrated with low/upper alphabet, digits, and other characters such as '$' or '_' (pam_cracklib.so calls them as classes).
So here is my /etc/pam.d/common-password:
#password requisite pam_pwcheck.so nullok cracklib
password requisite pam_cracklib.so minclass=4 reject_username
##password requisite pam_cracklib.so \
## dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 reject_username
password optional pam_gnome_keyring.so use_autht_ok
password required pam_unix2.so use_authtok nullok
The first commented line (with #) was the default configuration of openSuse 11.3. The 2nd/3rd (with leading ##) is another configuration I use when minclass=4 line is commented out. By the way, I have
'check password script' = /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
and
passdb backend = ldapsam:ldap://127.0.0.1
parameters in smb.conf and cracklib-check works fine too.
So here is the test I conduct. I logon to windows and then change my password. Sometimes it works fine that it trows error message - which what I wanted, but simple password with only lower alphabets can pass windows change password. Maybe I should make a new library which incorporates local vocabularies, but a guy out there (raise your hand please if you read this :) ) also experienced the same trouble with english word. Besides, what we really want is to let user to choose 2 or 3 format password out of 4 classes. Is there a bug or something with pam module in openSuse 11.3? Thank you in advance.
Regards,
Mario
