Broken-by-Design/notes/display-password-policy.md

---
title: "Displaying Password Policy before Password Change"
description: "How to display the password policy that applies to a user before a password change"
author: "Florian Maury"
date: 2022-05-26T16:30:00Z
categories:
- linux
tags: 
- linux
- pam
- security
- sysadmin
lang: en
---

On a multi-user system, one may not trust users to choose strong passwords.
Thus, one can setup up a password policy. On linux systems using <abbr
title="Pluggable Authentication Module">PAM</abbr>, this can be done with
`pam_cracklib`.

While `pam_cracklib` does an excellent job, with many options, it does not have
an option to display the current password policy to the user prior to a
password change. Indeed, this could be tedious because of the localization.

Displaying the policy is crucial, especially for users with expired passwords
that must change them upon logging, because they can't have access to the
system to learn the policy before changing their passwords. This often results
in frustrated users trying to "discover" the policy by trials and errors.

Sadly, most sysadmins I met forget to display that policy, or just do not know
how to do it.

One response is to use `pam_echo`. This module displays on screen the content
of a file and it can do so in all four PAM phases (account, auth, password, and
session). With `pam_echo`, system administrators can just write down in the
natural language of their users what the password policy is, and display it
using a well-positioned call to `pam_echo`.

For instance, on my debian system, I edited /etc/pam.d/common-password and I
added just before the line about `pam_unix`:

```
password optional pam_echo.so file=/etc/password_policy
```
Add note about pam_echo and pwd policy 2022-05-26 16:50:32 +00:00			`---`
			`title: "Displaying Password Policy before Password Change"`
			`description: "How to display the password policy that applies to a user before a password change"`
			`author: "Florian Maury"`
			`date: 2022-05-26T16:30:00Z`
			`categories:`
			`- linux`
			`tags:`
			`- linux`
			`- pam`
			`- security`
			`- sysadmin`
Add lang metadata for all posts/notes 2022-05-28 11:05:54 +00:00			`lang: en`
Add note about pam_echo and pwd policy 2022-05-26 16:50:32 +00:00			`---`

			`On a multi-user system, one may not trust users to choose strong passwords.`
			`Thus, one can setup up a password policy. On linux systems using <abbr`
			`title="Pluggable Authentication Module">PAM</abbr>, this can be done with`
			`pam_cracklib`.

			While `pam_cracklib` does an excellent job, with many options, it does not have
			`an option to display the current password policy to the user prior to a`
			`password change. Indeed, this could be tedious because of the localization.`

			`Displaying the policy is crucial, especially for users with expired passwords`
			`that must change them upon logging, because they can't have access to the`
			`system to learn the policy before changing their passwords. This often results`
			`in frustrated users trying to "discover" the policy by trials and errors.`

			`Sadly, most sysadmins I met forget to display that policy, or just do not know`
			`how to do it.`

			One response is to use `pam_echo`. This module displays on screen the content
			`of a file and it can do so in all four PAM phases (account, auth, password, and`
			session). With `pam_echo`, system administrators can just write down in the
			`natural language of their users what the password policy is, and display it`
			using a well-positioned call to `pam_echo`.

			`For instance, on my debian system, I edited /etc/pam.d/common-password and I`
			added just before the line about `pam_unix`:

			```
			`password optional pam_echo.so file=/etc/password_policy`
			```