PAM pam_passwdqc.so filter passphrase suggestions

Support for security such as Firewalls and securing linux
Post Reply
VirtualGuard
Posts: 2
Joined: 2014/06/27 18:23:29

PAM pam_passwdqc.so filter passphrase suggestions

Post by VirtualGuard » 2014/06/27 18:32:21

I would like to filter the passphrase suggestions that are provided by the passwdqc module when a user tries to change his/her password. For example in the following text

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use an X character long
password with characters from at least X of these X classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.

A passphrase should be of at least 3 words, 16 to 40 characters
long and contain enough different characters.

Alternatively, if noone else can see your terminal now, you can
pick this as your password: "robust-emit&wood".

Is there a ways to filter the passphrase as for example not to show the word "robust" ever. also can I customize the above message?
This is being done to filter out any abusive words that could potentially appear in the suggested password list.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PAM pam_passwdqc.so filter passphrase suggestions

Post by TrevorH » 2014/06/27 20:02:43

Did you read man pam_passwdqc to see what options it has?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

VirtualGuard
Posts: 2
Joined: 2014/06/27 18:23:29

Re: PAM pam_passwdqc.so filter passphrase suggestions

Post by VirtualGuard » 2014/06/27 21:35:22

I can't find any information regarding custom message or random passphrase generation filters under the man pages. Is there a specific dictionary file that this module uses? if yes can we edit that.?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PAM pam_passwdqc.so filter passphrase suggestions

Post by TrevorH » 2014/06/27 22:14:05

I can't find any information regarding custom message
I had assumed that this part of the man page covered that but perhaps I'm misreading it?
oldpass_prompt_file, newpass_prompt_file = absolute-file-path
These can be used to override prompts while requesting old password and new password,
respectively. The maximum size of the prompt files can be 4096 characters at present. If
the file size is more than 4096 characters, the output will be truncated to 4096 charac-
ters.
I'm not aware of how it gets its dictionary but running strings /lib64/security/pam_passwdqc.so | less looks to me like it is compiled in.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply