• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to add words to the dictionary cracklib uses for validating passwords against known dictionary words

By admin

How can we add additional words to the list of words checked by password dictionary of pam_cracklib in Red Hat Enterprise Linux 6?

What is PAM cracklib

Red Hat Enterprise Linux can be configured to verify that passwords cannot be guessed easily. On Red Hat Enterprise Linux this check is performed by the Pluggable Authentication Module (PAM) /lib/security/pam_cracklib.so. It checks to ensure that passwords are a minimum length and verifies that a password does not occur in a dictionary.

The dictionary used by this module is located in /usr/lib/ and is in cracklib format. By default, each of the dictionary files is prefixed with the file name cracklib_dict.

This module has a number of parameters, some of the more useful are below:

Parameter Description
minlen Specifies the minimum length allowed for an account
difok Specifies the minimum number of characters that have to differ from the previous password

An example of implementation of this would be to add the following line to the /etc/pam.d/system-auth file:

password   required   /lib/security/pam_cracklib.so retry=3 type= minlen=8 difok=3
Note: The type= argument does not need a value unless you want to define this parameter. Defining it will alter the message printed as a prompt to the user.

Additional information about the pam_cracklib module can be found on system documentation at: /usr/share/doc/pam-/txts/README.pam_cracklib

Adding new words to cracklib disctionary

Follow the below steps to add words to the dictionary cracklib uses for validating passwords against known dictionary words.

1. Ensure you have below rpm’s installed on your CentOS/RHEL/Fedora server:

pam-1.1.1-22.0.1.el6.x86_64
cracklib-2.8.16-4.el6.x86_64
cracklib-dicts-2.8.16-4.el6.x86_64
words-3.0-17.el6.noarch

Note the version of rpms will change according to the OS version.

2. Check Whether the new word to be added to the dictionary already existing in the dictionary or not.

# echo "pwd1234@" | cracklib-check
pwd1234@: OK

The “OK” in the output indicates that the new word is not already included in the dictionary.

3. Modify /usr/share/dict/linux.words and add “pwd1234@” to last.

# vi /usr/share/dict/linux.words
pwd1234@

3. Verify the file that the entry has been added.

# tail /usr/share/dict/linux.words
Zyzomys
Zyzzogeton
zyzzyva
zyzzyvas
ZZ
Zz
zZt
ZZZ
pwd1234@

4. Update the cracklib Dictionary with below command:

# create-cracklib-dict /usr/share/dict/linux.words

5. Now check once again whether the same has been added to Dictionary or not?

# echo "pwd1234@" | cracklib-check
pwd1234@: it is based on a dictionary word

The new word is already in the dictionary as seen from the output above.

6. Now try the same password from user as well

$ passwd
Changing password for user test.
Changing password for test.
(current) UNIX password:
New password: >>>>>>>>>>>>> Input pwd1234@
BAD PASSWORD: it is based on a dictionary word

As you can see from the output above, the new word added to the dictionary cannot be used as a password now.

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, CentOS/RHEL 8, Fedora, Linux

Some more articles you might also be interested in …

  1. What are different Samba Server Types
  2. CentOS / RHEL 6 : How to limit memory resources for a specific user using cgroups
  3. CentOS / RHEL 7 : How to setup yum repository using locally mounted DVD
  4. CentOS / RHEL 7 : How to extract initramfs image and edit/view it
  5. How to Extend the Last Existing Filesystem Partition with Parted
  6. Configuring Network Redundancy for PaceMaker Cluster Communication
  7. How To Create An Almost Root Equivalent Users But Not Root Identical User in Linux
  8. CentOS / RHEL 5, 6 : how to disable NetworkManager
  9. How to disable IPv6 on CentOS / RHEL 5
  10. How to Install NTP Service and Client in CentOS/RHEL 8

You May Also Like

Primary Sidebar

Recent Posts

  • MySQL: how to figure out which session holds which table level or global read locks
  • Recommended Configuration of the MySQL Performance Schema
  • MySQL: Identify what user and thread are holding on to a meta data lock that is preventing other queries from running
  • MySQL: How to kill a Long Running Query using max_execution_time
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary