The Pluggable Authentication Modules (PAM) for Linux is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users. System wide user authentication is done with the help of two modules: pam_cracklib and pam_unix in the /etc/pam.d/system-auth file.
1. pam_cracklib module works in the following manner:
– It first calls the cracklib routine to check the strength of the password; if cracklib likes the password, the module does an additional set of strength checks like palindrome, similar, simple, rotated, already used etc.
2. pam_unix is the standard UNIX authentication module.
– It uses standard calls from the system’s libraries to retrieve and set account information as well as authentication. Usually, this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.
Default entries for password in /etc/pam.d/system-auth are:
password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
Bypassing password checking against system dictionary
To bypass password checking against system dictionary we need to comment out pam_cracklib entry. We also need to remove use_authtok argument in pam_unix entry because this argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.
Changed entries for bypassing dictionary check:
# vi /etc/pam.d/system-auth #password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok md5 shadow
Be careful while editing any PAM configuration file. It is a good practice to keep a backup of default file and check for the effects of changes before logout. Otherwise, to recover from a wrong configuration, the only option is to reboot and login under single user mode and change the file to the default one.
In Red Hat Enterprise Linux Version 7, there are README files located in /usr/share/doc/pam-x.x (where x.x is the version of PAM you are using) which provides more details.