CentOS/RHEL can be configured to verify that passwords cannot be guessed easily. On Red Hat Enterprise Linux this check is performed by the Pluggable Authentication Module (PAM) /lib/security/pam_cracklib.so. It checks to ensure that passwords are a minimum length and verifies that a password does not occur in a dictionary.
The dictionary used by this module is located in /usr/lib/ and is in cracklib format. By default, each of the dictionary files is prefixed with the file name cracklib_dict.
This module has a number of parameters, some of the more useful are below:
|minlen||Specifies the minimum length allowed for an account|
|difok||Specifies the minimum number of characters that have to differ from the previous password|
An example of implementation of this would be to add the following line to the /etc/pam.d/system-auth file:
password required /lib/security/pam_cracklib.so retry=3 type= minlen=8 difok=3
Additional information about the pam_cracklib module can be found on system documentation at: /usr/share/doc/pam-
Follow the steps outlined below to disable password dictionary check in CentOS/RHEL 5 and 6.
For CentOS/RHEL 5
In CentOS/RHEL 5, this can be achived by disabling pam_cracklib module in /etc/pam.d/system-auth file. Note that disabling pam_cracklib will not work in earlier releases of Red Hat Enterprise Linux, you have to use RHEL5.3 or later. (i.e. pam version should be pam-0.99.6.2-4 or later).
In order to disable dictionary check, edit “password” management stack in /etc/pam.d/system-auth and change the default configuration to modified one as shown below:
password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so
password sufficient pam_unix.so md5 shadow nullok try_first_pass password required pam_deny.so
For CentOS/RHEL 6
In CentOS/RHEL 6, the PAM module for sshd and other remote services like ftpd now include /etc/pam.d/password-auth file. In order to disable dictionary check, one can Edit ‘password‘ management stack in the same. i.e.
password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass password required pam_deny.so
Note: Here I have removed the pam_cracklib module & removed use_authtok option from pam_unix module.