# Need help configuring PAM (Plugable Authentication Module)

## cdelc040

I am trying to configure PAM on a server to only allow people to use "secure" passwords (at least one number, symbol, uppercase, and lowercase; length >= 8 ).  I have been searching the internet and trying to follow instructions that are out there and it all seems so different than it should be.  I have changed my /etc/pam.d/passwd file to be

```
#%PAM-1.0

auth     required pam_unix.so shadow nullok

account  required pam_unix.so

password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=1 ocredit=1 lcredit=1 ucredit=1

password required pam_unix.so md5 use_authtok

session  required pam_unix.so
```

instead of

```
#%PAM-1.0

auth       include      system-auth

account    include      system-auth

password   include      system-auth
```

According to many articles I've read it should have fixed the password security issue, but it didn't.  I can enter just about any password (non-dictionary word) that I want (particularly just numbers and lowercase letters).  Why?  Can anyone help me?  Thanks.

----------

## cdelc040

Never mind.  The problem is that if you want to enforce the restrictions I wanted you need to use negative numbers like this

```
password required pam_cracklib.so debug difok=3 retry=3 minlen=8 dcredit=-1 ocredit=-1 lcredit=-1 ucredit=-1
```

Answer was found at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html  I hope this can help someone else out.

Also, if you are interested in password security checkout chage a utility to change a user's password expiration information.

----------

