Add note about pam_echo and pwd policy

This commit is contained in:
Florian Maury 2022-05-26 18:50:32 +02:00
parent 5c51419ce6
commit 4dd0625dc8
No known key found for this signature in database

View file

@ -0,0 +1,44 @@
---
title: "Displaying Password Policy before Password Change"
description: "How to display the password policy that applies to a user before a password change"
author: "Florian Maury"
date: 2022-05-26T16:30:00Z
categories:
- linux
tags:
- linux
- pam
- security
- sysadmin
---
On a multi-user system, one may not trust users to choose strong passwords.
Thus, one can setup up a password policy. On linux systems using <abbr
title="Pluggable Authentication Module">PAM</abbr>, this can be done with
`pam_cracklib`.
While `pam_cracklib` does an excellent job, with many options, it does not have
an option to display the current password policy to the user prior to a
password change. Indeed, this could be tedious because of the localization.
Displaying the policy is crucial, especially for users with expired passwords
that must change them upon logging, because they can't have access to the
system to learn the policy before changing their passwords. This often results
in frustrated users trying to "discover" the policy by trials and errors.
Sadly, most sysadmins I met forget to display that policy, or just do not know
how to do it.
One response is to use `pam_echo`. This module displays on screen the content
of a file and it can do so in all four PAM phases (account, auth, password, and
session). With `pam_echo`, system administrators can just write down in the
natural language of their users what the password policy is, and display it
using a well-positioned call to `pam_echo`.
For instance, on my debian system, I edited /etc/pam.d/common-password and I
added just before the line about `pam_unix`:
```
password optional pam_echo.so file=/etc/password_policy
```