# [Solved]Dicitonary usage with pam_passwdqc

## sgentry6

I have what may seem to be a wierd question.  I really like how pam_cracklib allows me to add words to a dictionary, which is then checked when a user attempts to update a password.  I also really like how pam_passwdqc enforces ALL users to follow the rules it sets forth.  

Is there anyway that I can stack those with pam?  Is this how the pam_stack module would work?  The only option I want set from pam_passwdqc is the enforce=everyone.  The dictionary for pam_passwdqc isn't quite large enough.  I know I could recompile the source for either one of these applications, but I would much rather be able to do this inside of the pam configuration file.

I have been playing around with this, but without the success I have been looking for yet.  Any suggestions?

Thanks.Last edited by sgentry6 on Tue Mar 28, 2006 6:38 pm; edited 3 times in total

----------

## sgentry6

http://www.redhat.com/archives/pam-list/2002-June/msg00013.html

On Sun, Jun 09, 2002 at 04:13:52AM +1000, Jenn Vesperman wrote:

> > On Fri, Jun 07, 2002 at 05:30:51PM +1000, John Warburton wrote:

> 

> > > My question is that cracklib has a huge dictionary & I can add to it. But,

> > > pam_passwdqc has a small dictionary in wordset_4k.c (it doesn't even have

> > > the word "snoopy"  :Wink:  I don't feel as safe with pam_passwdqc as it has a

> > > small dictionary, yet Solar Designer really has it in for libcrack, and I

> > > respect Solar Designer's opinion. 

> 

> Why not use both? Stack them. Make the users pass both systems.

It's not such a good idea because:

1. One of the features of pam_passwdqc is its support for passphrases.

They may contain dictionary words, yet be strong enough.  Also using

CrackLib would defeat that.

2. Both pam_passwdqc and pam_cracklib support user interaction.  In

order to stack both modules, you'd have to disable user interaction in

one (which, at least for the case of pam_passwdqc, is supported).  The

disadvantage is that by doing so you disallow having multiple attempts

to enter a new password which would satisfy the module for which user

interaction has been disabled.  If a weak password is entered (by that

module's definition), pam_chauthtok() will immediately return failure.

This is possible, I am continuing to look at the documentation for passwdqc to see how to do this.  I will post if I have success.

----------

## sgentry6

password   required   pam_cracklib.so      difok=3    minlen=8   ucredit=-1    lcredit=-1    dcredit=0     ocredit=0    retry=3

password   required   pam_passwdqc.so   min=disabled,8,8,8,8 passphrase=0 similar=deny match=4 random=0 enforce=everyone use_authtok

password   sufficient  pam_unix.so           remember=20 md5 shadow use_authtok

password   required   pam_deny.so

This seems to be working for now.  Most of those options from pam_passwdqc.so are the defaults.

I will test this out some more to see if this fully works.

----------

## sgentry6

That brings me "closer".  

Passwd successfully returns failure if I use something like testing as a password, however if I go to login as that user then the password has changed.

----------

## sgentry6

Changing the above to:

password   required   pam_passwdqc.so   min=disabled,8,8,8,8 passphrase=0 similar=deny match=4 random=0 enforce=everyone 

password   required   pam_cracklib.so      difok=3    minlen=8   ucredit=-1    lcredit=-1    dcredit=0     ocredit=0    retry=3 use_authtok

password   sufficient  pam_unix.so           remember=20 md5 shadow use_authtok

password   required   pam_deny.so

seems to be working, the retry of course is thrown out the window.  I think this will be suitable for my needs though.  More testing to come.

----------

## sgentry6

Still doesn't work.  

A lower case word in the cracklib dictionary that isn't in the wordset_4k file will pass if you add a number to it.

Still looking to hack these two together or modify the source to cracklib, which I would rather not do.

----------

## sgentry6

"Fused" together the source code.  It is rather hacky since I hardcoded the system dictionary pages, if anyone is interested let me know.

Added in the ability to require characters of certain classes (upper case, lower case, digits, and other characters).

Added in the system dicitonaries as well as a dictionary created by create-cracklib-dict.

Words in the dictionaries will go the passwdqc checks rather than through the cracklib checks (the passwdqc checks seem to be more through).

----------

## sgentry6

No longer hardcoded dictionaries.

Options can be parsed in.

Looks like no one else cares about this topic either  :Smile: 

----------

