Troubleshooting
Problem
The IBM PDA customer wants to set up password controls on the IBM PDA hosts in Linux.
Symptom
Password controls have not been setup in Linux.
Cause
Business need for more secure passwords.
Environment
Any IBM PDA appliance running RHEL5 or RHEL6
Diagnosing The Problem
The customer wouldlike to set up tricter password control rules for the IBM PDA appliance hosts. The host settings are defined below:
minlen=N
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should not use this module.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of digits that must be met for a new password.
ucredit=N
(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of upper case letters that must be met for a new password.
lcredit=N
(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of lower case letters that must be met for a new password.
ocredit=N
(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of other characters that must be met for a new password.
Resolving The Problem
Edit /etc/pam.d/system-auth-ac with the requested password controls.
Below is an example of a customer request for the passwrod controls to be set as follows:
minlen=8,
lcredit=-1
ucredit=-1
dcredit=-1
ocredit=-1
cd /etc/pam.d
cp system-auth-ac system-auth-ac.bkp
vi system-auth-ac
edit line as follows:
old
password requisite pam_cracklib.so try_first_pass retry=3
new
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
Save and exit vi. Repeat steps on both hosts.
Changes will take effect immediately.
VERY IMPORTANT: Ensure client can log in to another session after the changes have been made before closing your open session to test and if not then there is an issue with the settings or the customer's password doesn't meet the rules.
To recover: Revert back to old settings from backup file made.
Was this topic helpful?
Document Information
Modified date:
17 October 2019
UID
swg21977919