topic Re: how to disable complex password in Operating System - Linux

how to disable complex password

Maaz — Thu, 02 Dec 2004 14:36:14 GMT

Hello Gurus

OS: rhl 9.0, FC2
Ordinary users have to provide complex password if they want to change/set their password.
How can I disable the complex password feature, so that ordinary users can set/change their password by providing simple/dictionary based password.

In short I want to enable dictionary-based or simple password.

Regards
Maaz

P.S. We dont have any security needs.

Re: how to disable complex password

Maaz — Thu, 02 Dec 2004 22:20:10 GMT

is it not possible to disable complex password ?
I want my linux systems accept simple/dictionary-based password, from ordinary users, if they(ordinary users) wana change their password.

Regards
Maaz

Re: how to disable complex password

Ermin Borovac — Thu, 02 Dec 2004 22:29:16 GMT

This is really NOT recommended but if you really want to do it try the following.

Edit your /etc/pam.d/passwd. The line that starts with 'password' is significant.

password required pam_stack.so service=system-auth

Replace the line with

password required pam_unix.so nullok md5 shadow

Now users should be able to choose 'simple' passwords (minimum length 6 characters).

Re: how to disable complex password

Maaz — Fri, 03 Dec 2004 14:12:33 GMT

Dear Ermin Borovac, I m highly Thankful to u for the response/help, and as well as for ur kind SUGGESTION/ADVICE.

If u or anyone can plz explain what does the following line means ?
password required pam_unix.so nullok md5 shadow

Regards
Maaz

Re: how to disable complex password

Chris Xu — Fri, 03 Dec 2004 16:47:37 GMT

Hope the following explains it:

pam_unix now comes as one module pam_unix.so.

The following links are left for compatibility with old versions:
pam_unix_auth: authentication module providing
pam_authenticate() and pam_setcred() hooks
pam_unix_sess: session module, providing session logging
pam_unix_acct: account management, providing shadow account
managment features, password aging etc..
pam_unix_passwd: password updating facilities providing
cracklib password strength checking facilities.

The following options are recognized:
debug - log more debugging info
audit - a little more extreme than debug
use_first_pass - don't prompt the user for passwords
take them from PAM_ items instead
try_first_pass - don't prompt the user for the passwords
unless PAM_(OLD)AUTHTOK is unset
use_authtok - like try_first_pass, but * fail * if the new
PAM_AUTHTOK has not been previously set.
(intended for stacking password modules only)
not_set_pass - don't set the PAM_ items with the passwords
used by this module.
shadow - try to maintian a shadow based system.
md5 - when a user changes their password next,
encrypt it with the md5 algorithm.
bigcrypt - when a user changes their password next,
excrypt it with the DEC C2 - algorithm(0).
nodelay - used to prevent failed authentication
resulting in a delay of about 1 second.
nis - use NIS RPC for setting new password
remember=X - remember X old passwords, they are kept in
/etc/security/opasswd in MD5 crypted form
broken_shadow - ignore errors reading shadow information for
users in the account management module

invalid arguments are logged to syslog.

Chris

Re: how to disable complex password

Ermin Borovac — Fri, 03 Dec 2004 18:43:29 GMT

Lines starting with keyword 'password' are used to manage password policies.

/etc/pam.d/passwd
password required pam_stack.so service=system-auth

The previous line refers /usr/bin/passwd command to use lines starting with 'password' in /etc/pam.d/system-auth file.

/etc/pam.d/system-auth
password required pam_cracklib.so retry=3 type=
password required pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so

Line containing pam_cracklib is responsible for strong password checking. Module pam_unix.so can also do some very basic password checks.

In my suggestion I have forced password command to use pam_unix.so module for password checking, which allows users to select simple passwords.

Hope that clears it up a bit.

Check directory /usr/share/doc/pam-*/txts on your RHL/FC system for more information.

Re: how to disable complex password

Maaz — Fri, 03 Dec 2004 21:35:00 GMT

Dear Chris Xu, and Ermin Borovac, I m highly Thankful to u both for such a prompt and detailed explainations. I highly appreciate

Once again, Thanks a Million.

Regards
Maaz