From 4dd0625dc83acb02a3280466d74328d829c698c2 Mon Sep 17 00:00:00 2001 From: Florian Maury Date: Thu, 26 May 2022 18:50:32 +0200 Subject: [PATCH] Add note about pam_echo and pwd policy --- notes/display-password-policy.md | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 notes/display-password-policy.md diff --git a/notes/display-password-policy.md b/notes/display-password-policy.md new file mode 100644 index 0000000..f07aaea --- /dev/null +++ b/notes/display-password-policy.md @@ -0,0 +1,44 @@ +--- +title: "Displaying Password Policy before Password Change" +description: "How to display the password policy that applies to a user before a password change" +author: "Florian Maury" +date: 2022-05-26T16:30:00Z +categories: +- linux +tags: +- linux +- pam +- security +- sysadmin +--- + +On a multi-user system, one may not trust users to choose strong passwords. +Thus, one can setup up a password policy. On linux systems using PAM, this can be done with +`pam_cracklib`. + +While `pam_cracklib` does an excellent job, with many options, it does not have +an option to display the current password policy to the user prior to a +password change. Indeed, this could be tedious because of the localization. + +Displaying the policy is crucial, especially for users with expired passwords +that must change them upon logging, because they can't have access to the +system to learn the policy before changing their passwords. This often results +in frustrated users trying to "discover" the policy by trials and errors. + +Sadly, most sysadmins I met forget to display that policy, or just do not know +how to do it. + +One response is to use `pam_echo`. This module displays on screen the content +of a file and it can do so in all four PAM phases (account, auth, password, and +session). With `pam_echo`, system administrators can just write down in the +natural language of their users what the password policy is, and display it +using a well-positioned call to `pam_echo`. + +For instance, on my debian system, I edited /etc/pam.d/common-password and I +added just before the line about `pam_unix`: + +``` +password optional pam_echo.so file=/etc/password_policy +``` +