How can we add additional words to the list of words checked by password dictionary of pam_cracklib in Red Hat Enterprise Linux 6?
What is PAM cracklib
Red Hat Enterprise Linux can be configured to verify that passwords cannot be guessed easily. On Red Hat Enterprise Linux this check is performed by the Pluggable Authentication Module (PAM) /lib/security/pam_cracklib.so. It checks to ensure that passwords are a minimum length and verifies that a password does not occur in a dictionary.
The dictionary used by this module is located in /usr/lib/ and is in cracklib format. By default, each of the dictionary files is prefixed with the file name cracklib_dict.
This module has a number of parameters, some of the more useful are below:
Parameter | Description |
---|---|
minlen | Specifies the minimum length allowed for an account |
difok | Specifies the minimum number of characters that have to differ from the previous password |
An example of implementation of this would be to add the following line to the /etc/pam.d/system-auth file:
password required /lib/security/pam_cracklib.so retry=3 type= minlen=8 difok=3
Additional information about the pam_cracklib module can be found on system documentation at: /usr/share/doc/pam-
Adding new words to cracklib disctionary
Follow the below steps to add words to the dictionary cracklib uses for validating passwords against known dictionary words.
1. Ensure you have below rpm’s installed on your CentOS/RHEL/Fedora server:
pam-1.1.1-22.0.1.el6.x86_64 cracklib-2.8.16-4.el6.x86_64 cracklib-dicts-2.8.16-4.el6.x86_64 words-3.0-17.el6.noarch
Note the version of rpms will change according to the OS version.
2. Check Whether the new word to be added to the dictionary already existing in the dictionary or not.
# echo "pwd1234@" | cracklib-check pwd1234@: OK
The “OK” in the output indicates that the new word is not already included in the dictionary.
3. Modify /usr/share/dict/linux.words and add “pwd1234@” to last.
# vi /usr/share/dict/linux.words pwd1234@
3. Verify the file that the entry has been added.
# tail /usr/share/dict/linux.words Zyzomys Zyzzogeton zyzzyva zyzzyvas ZZ Zz zZt ZZZ pwd1234@
4. Update the cracklib Dictionary with below command:
# create-cracklib-dict /usr/share/dict/linux.words
5. Now check once again whether the same has been added to Dictionary or not?
# echo "pwd1234@" | cracklib-check pwd1234@: it is based on a dictionary word
The new word is already in the dictionary as seen from the output above.
6. Now try the same password from user as well
$ passwd Changing password for user test. Changing password for test. (current) UNIX password: New password: >>>>>>>>>>>>> Input pwd1234@ BAD PASSWORD: it is based on a dictionary word
As you can see from the output above, the new word added to the dictionary cannot be used as a password now.