Provide pam_passwdqc setup example for Linux
solardiz opened this issue · 3 comments
In PLATFORMS
, we happen to have more specific instructions for some non-Linux systems than we do for Linux. We should similarly add instructions or/and example(s) for common Linux distributions.
Our current:
Most modern Linux distributions use Linux-PAM with a password changing
module which understands "use_authtok". Thus, you may choose which
module prompts for the old password, things should work either way.
assumes that the reader knows where and how to add pam_passwdqc
to the PAM stack, and only needs that specific configuration detail above - but many people reading that don't have such knowledge.
For FreeBSD/DragonFly and OpenBSD, we refer to specific pathnames to make edits to. For many people, that's much more helpful.
For Solaris, we refer to a wiki page, which has instructions and examples. That's also more helpful (than what we have for Linux), although we could want to have our documentation in here more self-contained.
Tested on Ubuntu 22.04:
+++ /etc/pam.d/common-password 2022-05-28 12:34:48.086924767 +0000
@@ -22,7 +22,8 @@
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
-password [success=1 default=ignore] pam_unix.so obscure yescrypt
+password requisite pam_passwdqc.so config=/etc/passwdqc.conf
+password [success=1 default=ignore] pam_unix.so use_authtok obscure yescrypt
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
Edit: added the optional config=/etc/passwdqc.conf
above. Can also mention the need to apt install libpam-dev
to get passwdqc to build on Debian/Ubuntu.
Tested on AlmaLinux 8.5 (RHEL 8.5 rebuild):
To build, first dnf install pam-devel
.
After make install
, additionally run:
mv /lib/security/pam_passwdqc.so /lib64/security/
ldconfig
+++ /etc/pam.d/system-auth 2022-05-28 15:03:09.051496482 +0200
@@ -7,7 +7,7 @@
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password requisite pam_passwdqc.so config=/etc/passwdqc.conf
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
+++ /etc/pam.d/password-auth 2022-05-28 15:03:07.069496446 +0200
@@ -7,7 +7,7 @@
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password requisite pam_passwdqc.so config=/etc/passwdqc.conf
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
Also on the same AlmaLinux 8.5 as above, after dnf install rpm-build
a rpmbuild -tb passwdqc-2.0.2.tar.gz
(as suggested in our INSTALL
) just works, and the package has /lib64/security/pam_passwdqc.so
right away (proper location for this distro). So this could be our primary recommendation.
Edit: putting this all together, something like this:
sudo dnf install pam-devel rpm-build
rpmbuild -tb passwdqc-2.0.2.tar.gz
sudo rpm -Uvh rpmbuild/RPMS/x86_64/passwdqc-2.0.2-owl1.x86_64.rpm
Then edit the config files.
A concern is that the config files are autogenerated:
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.