Friday, March 10, 2017

11.10 - How to change/disable password complexity test when changing password?


I know that it is a "bad" idea, I know that it is not secure, I know. I searched the net for an answer and all I saw was whining that it's not good. But I like using Linux because it lets me make the system I want and like to use. The end of intro.


I try to change password:


ruslan:~% passwd
Changing password for ruslan.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
You must choose a longer password

If I try sudo passwd ruslan then I can set any password I want so I don't need password complexity checks for passwd on my system.


After googling I've found that there should be PAM module pam_cracklib that tests password for complexity and it can be configured. But my PAM password settings doesn't include pam_cracklib:


% cat /etc/pam.d/passwd | grep '^[^#]'
@include common-password
% cat /etc/pam.d/common-password | grep '^[^#]'
password    [success=1 default=ignore]  pam_unix.so obscure sha512
password    requisite           pam_deny.so
password    required            pam_permit.so
password    optional    pam_gnome_keyring.so

I guess that pam_unix makes this test... Oops... Guys, the moment I finished to write this sentence I've got an enlightenment and typed man pam_unix in terminal
where I've found needed options for pam_unix module.


I just removed option obscure and added minlen=1 and now I'm happy. So now I have this line in /etc/pam.d/common-password:


password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

and I can set any password I want.


I decided to keep this post for people who might need this solution also. Sorry and thanks.



Ok, I will answer my question :)


I've found that pam_unix module performs password complexity check and it can be configured.


man pam_unix:


   minlen=n
       Set a minimum password length of n characters. The default value is
       6. The maximum for DES crypt-based passwords is 8 characters.
   obscure
       Enable some extra checks on password strength. These checks are
       based on the "obscure" checks in the original shadow package. The
       behavior is similar to the pam_cracklib module, but for
       non-dictionary-based checks.

Solution:
Alter the line in the pam_unix module in the /etc/pam.d/common-password file to:


password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

It allows you to set any password with minimal length of 1.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...