How can we add additional words to the list of words checked by password dictionary of pam_cracklib in Red Hat Enterprise Linux 6?
What is PAM cracklib
Red Hat Enterprise Linux can be configured to verify that passwords cannot be guessed easily. On Red Hat Enterprise Linux this check is performed by the Pluggable Authentication Module (PAM) /lib/security/pam_cracklib.so. It checks to ensure that passwords are a minimum length and verifies that a password does not occur in a dictionary.
The dictionary used by this module is located in /usr/lib/ and is in cracklib format. By default, each of the dictionary files is prefixed with the file name cracklib_dict.
This module has a number of parameters, some of the more useful are below:
|minlen||Specifies the minimum length allowed for an account|
|difok||Specifies the minimum number of characters that have to differ from the previous password|
An example of implementation of this would be to add the following line to the /etc/pam.d/system-auth file:
password required /lib/security/pam_cracklib.so retry=3 type= minlen=8 difok=3
Additional information about the pam_cracklib module can be found on system documentation at: /usr/share/doc/pam-
To add an additional list of words to the password dictionary, either of these two methods can be used.
Add new words in an existing password dictionary file and create a new database.
1. Take backup of original files, so that it can be restored back if required.
# mkdir dict-backup # cp -r /usr/share/dict/ dict-backup/ # cp -r /usr/share/cracklib/ dict-backup/ # cp -r /usr/lib64/cracklib_dict.* dict-backup/
2. Now, append desired words in the below file (This file includes in “words” package.)
3. Now compile the above dictionary into an index that Cracklib uses.
4. Run following command to create an index:
### On 64 bit box: # mkdict /usr/share/dict/* | packer /usr/lib64/cracklib_dict ### On 32 bit box: # mkdict /usr/share/dict/* | packer /usr/lib/cracklib_dict
5. The above command will create the following files.
/usr/lib64/cracklib_dict.hwm /usr/lib64/cracklib_dict.pwi /usr/lib64/cracklib_dict.pwd
Export existing list of words into a new file and then append new words into the same which will be used to create a new dictionary.
1. Run following command:
# cracklib-unpacker /usr/share/cracklib/pw_dict > "some file"
2. Edit the newly created file to add the additional words.
3. Run following command:
# mkdict /path to file/"File" | packer /usr/lib64/cracklib_dict
This should create the new dictionary in the default location that contains all the current words and the additional words as well.
4. Do NOT make any changes in /etc/pam.d/system-auth file to mention the dictionary path. It will pick up new words from default location.
5. Now, try to change the password of the user, it should check for old as well as new dictionary words. And if you provide a password from the list of words checked by password dictionary, then you should get an error as shown below:
$ passwd Changing password for user test. Changing password for test. (current) UNIX password: New password: BAD PASSWORD: it is based on a dictionary word