Topic: user-password 7 character limit in v7.2

[jfarschman]

Hello,

  I have worked out a way to set password limits in the command line so that I can have 5-character (crackable) passwords, but the server-manager is trouble. informing me that there is still a 7 character minimum

Code: [Select]


yum install pam_passwdqc

Then in  /etc/pam.d/system-auth (or actually the templates-custom) alter the required line for the password

Code: [Select]


password    required      pam_passwdqc.so enforce=none min=disabled,5,5,5,5 retry=100

created a user called 'deleteme' and then did

passwd deleteme

and it lets me set lame passwords.... But the server-manager still says they must be 7 characters.

I should also note there is a file /etc/login.defs with a minimum length, but that should not cause the problem?  

PASS_MIN_LEN    5

[shell]

Hi all,

Got this info from the bug tracker and think it will be useful to have included somewhere in the wiki.  Bug #3039

7.2 has implemented a new password policy - dictated by pam module - that requires passwords have a minimum length of 7.

The password rules now are:

    *  Strong - Must pass all default cracklib tests and all "normal" tests.
    * Normal - Must have at least 1 digit (0-9), 1 upper ([A-Z]), 1 lower ([a-z]), 1 special char (/-?) and be longer than 6 characters.
    * None - passwords must be longer than 6 characters

This should not affect existing passwords, and shouldn't cause problems where the existing password is (to quote jfarschman ) "lame", ie less than 7 characters.

Cheers,
Shell

[TrevorB]

but the server-manager is trouble. informing me that there is still a 7 character minimum

The server manager password is for the Admin group, not Users (so you need to look at 'config passwordstrength Admin none' and all associated code)

But I would make doubly sure that you have NO outside access (pptp, ssh, etc.) if you are going to give weak passwords to your admin user.

Trevor B

[jfarschman]

Okay guys thanks for the digging,

But....

I have looked at bugzilla 3039 and was not satisfied with that answer.  3039 basically says "live with it" and I don't want to.  So I went on a quest to solve the problem so that I can have 5 character passwords with no variation in character type.

First, install alternate authentication system "pam_passwdqc"

Then alter the /etc/pam.d/system-auth to no longer use the other system and start using the new system.

RESULTS
Inside the command-line I can set lame passwords just fine.  I set the password 12345 for my test user using the passwd command.  The problem is the GUI (server-manager) does not allow a shorter password

And I do not mean for the admin use... sure that is different.

[pmceache]

i have fixed this on my server by altering the file :
/usr/lib/perl5/site_perl/esmith/FormMagic on line 789.  Change the 7 to a 5 & "> 6" to "> 4", save the file & give it a try. This worked for me.

sub validate_password
{
    my ($fm,$strength,$pass) =3D @_;

    use Crypt::Cracklib;

    my $reason;

    if ($strength eq "none") {
        return $fm->localise("Passwords must be at least 7 characters =
long") unless (length($pass) > 6);
        return "OK";
    }

[jfarschman]

pmceache,

  Excellent!  That does the trick.  I have never messed with FormMagic and should probably look at it more.  It looks like it is enforcing system limits and responding with appropriate error messaging when necessary.

  So... change the system and then change FormMagic.pm as well.

  Solid advice.

  However, if you are following our advice you should know that FormMagic.pm is provided by the e-smith-formmagick rpm and any changes you make will be overwritten upon update.

[pmceache]

this may need to be done through a custom template then. I have never done anthing with those yet so if you have some advice that would be great.

[jfarschman]

pmcreache,

  There is no template for the FormMagic.pm file and I am not sure I want one.  It may be better to write a script that checks nightly to see if the a new rpm was installed and then sends the admin an email.

  We could also write a sed substitution line that would make the changes.

  My part of the change to the system-auth file can be handled in templates-custom, but not the FormMagic.pm... at least not with out rebuilding the RPM and managing it yourself.