9
2
I'm using Fedora 19. By default it's setup with pam to disable bad passwords, like "password". This is good. Trying to change this default is infuriating. This is a box for testing internal stuff, not connected to the internet, nor any machine that is. Bad passwords facilitate the testing process. Alternatively, how the hell do you change password requirements at all??
system-auth
man pam_cracklib
has some great examples of setting different password requirements. So I open up /etc/pam.d/system-auth
, which is where you see lines like:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
*headdesk*. In my experience, warnings like this mean your changes are wiped every time the package manager is run and/or randomly.
authconfig
So...authconfig
is the next step. I look for all files named "authconfig". /etc/sysconfig/authconfig
looks promising. And, no warning at the top about destroying my edits on a whim. I find this line USEPWQUALITY=yes
and change it. Now I run:
# authconfig --test
<snip>
pam_pwquality is enabled (try_first_pass retry=3 authtok_type=)
<snip>
wtf. So let's read man authconfig
a little closer. Oh! Looks like that file isn't read by authconfig, it's changed. So....how do you configure authconfig? The manual suggests system-config-authentication
, which I install and doesn't provide anything resembling a checkbox to disable pam_pwquality. The next suggestion from the manual is command line options. Great! I love command line tools. Only, none of the documented command line options disable pam_pwquality.
pwquality.conf
Thanks to Aaron's answer, I learned that a couple years ago fedora decided to make /etc/security/pwquality.conf
the place to configure password quality requirements. Unfortunately, as documented in the file and in man 5 pwquality.conf
, there (1) isn't a way to disable the dictionary checking and (2) can't set allowed password length below six.
If it's internal why is Pam installed or even enabled? – Ramhound – 2013-09-19T17:23:23.957
1@Ramhound because fedora is infested with pam.
yum remove pam
removes, as far as I can tell by the time it takes to scroll all its depending packages, everything. Including yum and systemd. Also, disabling pam feels like a sledgehammer, when I think I just want to use sand paper. – djeikyb – 2013-09-19T17:47:27.583