What is pam_cracklib
Red Hat Enterprise Linux can be configured to verify that passwords cannot be guessed easily. On Red Hat Enterprise Linux this check is performed by the Pluggable Authentication Module (PAM) /lib/security/pam_cracklib.so. It checks to ensure that passwords are a minimum length and verifies that a password does not occur in a dictionary.
The dictionary used by this module is located in /usr/lib/ and is in cracklib format. By default, each of the dictionary files is prefixed with the file name cracklib_dict.
This module has a number of parameters, some of the more useful are below:
|minlen||Specifies the minimum length allowed for an account|
|difok||Specifies the minimum number of characters that have to differ from the previous password|
An example of implementation of this would be to add the following line to the /etc/pam.d/system-auth file:
password required /lib/security/pam_cracklib.so retry=3 type= minlen=8 difok=3
Additional information about the pam_cracklib module can be found on system documentation at: /usr/share/doc/pam-
In CentOS/RHEL6, the default parameters are try_first_pass,retry=3 and type=. While in RHEL5, the default parameters are try_first_pass,retry=3.
According to the man page of pam_unix.
try_first_pass means: Before prompting the user for their password, the module first tries the previous stacked module´s password in case that satisfies this module as well.
According to the man page of pam_cracklib.
retry=N means: Prompt user at most N times before returning with error. The default is 1.
authtok_type=XXX The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The example word UNIX can be replaced with this option, by default it is empty.