Add note about pam_echo and pwd policy

notes/display-password-policy.md

@@ -0,0 +1,44 @@
+---
+title: "Displaying Password Policy before Password Change"
+description: "How to display the password policy that applies to a user before a password change"
+author: "Florian Maury"
+date: 2022-05-26T16:30:00Z
+categories:
+- linux
+tags: 
+- linux
+- pam
+- security
+- sysadmin
+---
+
+On a multi-user system, one may not trust users to choose strong passwords.
+Thus, one can setup up a password policy. On linux systems using <abbr
+title="Pluggable Authentication Module">PAM</abbr>, this can be done with
+`pam_cracklib`.
+
+While `pam_cracklib` does an excellent job, with many options, it does not have
+an option to display the current password policy to the user prior to a
+password change. Indeed, this could be tedious because of the localization.
+
+Displaying the policy is crucial, especially for users with expired passwords
+that must change them upon logging, because they can't have access to the
+system to learn the policy before changing their passwords. This often results
+in frustrated users trying to "discover" the policy by trials and errors.
+
+Sadly, most sysadmins I met forget to display that policy, or just do not know
+how to do it.
+
+One response is to use `pam_echo`. This module displays on screen the content
+of a file and it can do so in all four PAM phases (account, auth, password, and
+session). With `pam_echo`, system administrators can just write down in the
+natural language of their users what the password policy is, and display it
+using a well-positioned call to `pam_echo`.
+
+For instance, on my debian system, I edited /etc/pam.d/common-password and I
+added just before the line about `pam_unix`:
+
+```
+password optional pam_echo.so file=/etc/password_policy
+```
+