• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to add words to the dictionary cracklib uses for validating passwords against known dictionary words

by admin

How can we add additional words to the list of words checked by password dictionary of pam_cracklib in Red Hat Enterprise Linux 6?

What is PAM cracklib

Red Hat Enterprise Linux can be configured to verify that passwords cannot be guessed easily. On Red Hat Enterprise Linux this check is performed by the Pluggable Authentication Module (PAM) /lib/security/pam_cracklib.so. It checks to ensure that passwords are a minimum length and verifies that a password does not occur in a dictionary.

The dictionary used by this module is located in /usr/lib/ and is in cracklib format. By default, each of the dictionary files is prefixed with the file name cracklib_dict.

This module has a number of parameters, some of the more useful are below:

Parameter Description
minlen Specifies the minimum length allowed for an account
difok Specifies the minimum number of characters that have to differ from the previous password

An example of implementation of this would be to add the following line to the /etc/pam.d/system-auth file:

password   required   /lib/security/pam_cracklib.so retry=3 type= minlen=8 difok=3
Note: The type= argument does not need a value unless you want to define this parameter. Defining it will alter the message printed as a prompt to the user.

Additional information about the pam_cracklib module can be found on system documentation at: /usr/share/doc/pam-/txts/README.pam_cracklib

Adding new words to cracklib disctionary

Follow the below steps to add words to the dictionary cracklib uses for validating passwords against known dictionary words.

1. Ensure you have below rpm’s installed on your CentOS/RHEL/Fedora server:

pam-1.1.1-22.0.1.el6.x86_64
cracklib-2.8.16-4.el6.x86_64
cracklib-dicts-2.8.16-4.el6.x86_64
words-3.0-17.el6.noarch

Note the version of rpms will change according to the OS version.

2. Check Whether the new word to be added to the dictionary already existing in the dictionary or not.

# echo "pwd1234@" | cracklib-check
pwd1234@: OK

The “OK” in the output indicates that the new word is not already included in the dictionary.

3. Modify /usr/share/dict/linux.words and add “pwd1234@” to last.

# vi /usr/share/dict/linux.words
pwd1234@

3. Verify the file that the entry has been added.

# tail /usr/share/dict/linux.words
Zyzomys
Zyzzogeton
zyzzyva
zyzzyvas
ZZ
Zz
zZt
ZZZ
pwd1234@

4. Update the cracklib Dictionary with below command:

# create-cracklib-dict /usr/share/dict/linux.words

5. Now check once again whether the same has been added to Dictionary or not?

# echo "pwd1234@" | cracklib-check
pwd1234@: it is based on a dictionary word

The new word is already in the dictionary as seen from the output above.

6. Now try the same password from user as well

$ passwd
Changing password for user test.
Changing password for test.
(current) UNIX password:
New password: >>>>>>>>>>>>> Input pwd1234@
BAD PASSWORD: it is based on a dictionary word

As you can see from the output above, the new word added to the dictionary cannot be used as a password now.

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, CentOS/RHEL 8, Fedora, Linux

Some more articles you might also be interested in …

  1. How to allow all traffic from a server using firewalld in CentOS/RHEL
  2. How to Configure Device File owner/group with udev rules
  3. “BAD PASSWD : is too simple” – error during password change in CentOS/RHEL 7 and 8
  4. How to Disable Client Access Control in MySQL
  5. CentOS / RHEL 7 : Beginners guide to systemd service units
  6. How to modify the iSCSI initiator ID in Linux
  7. How To Check a Disk for Bad Blocks or Disk Errors on CentOS / RHEL
  8. “WARNING: Failed to connect to lvmetad. Falling back to device scanning” – error while running LVM commands
  9. CentOS / RHEL 7 : How to check the status of a service using systemd
  10. zcat Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • vgextend Command Examples in Linux
  • setpci command – configure PCI device
  • db_load command – generate db database
  • bsdtar command – Read and write tape archive files

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright