Add note about pam_echo and pwd policy
This commit is contained in:
parent
5c51419ce6
commit
4dd0625dc8
1 changed files with 44 additions and 0 deletions
44
notes/display-password-policy.md
Normal file
44
notes/display-password-policy.md
Normal file
|
@ -0,0 +1,44 @@
|
|||
---
|
||||
title: "Displaying Password Policy before Password Change"
|
||||
description: "How to display the password policy that applies to a user before a password change"
|
||||
author: "Florian Maury"
|
||||
date: 2022-05-26T16:30:00Z
|
||||
categories:
|
||||
- linux
|
||||
tags:
|
||||
- linux
|
||||
- pam
|
||||
- security
|
||||
- sysadmin
|
||||
---
|
||||
|
||||
On a multi-user system, one may not trust users to choose strong passwords.
|
||||
Thus, one can setup up a password policy. On linux systems using <abbr
|
||||
title="Pluggable Authentication Module">PAM</abbr>, this can be done with
|
||||
`pam_cracklib`.
|
||||
|
||||
While `pam_cracklib` does an excellent job, with many options, it does not have
|
||||
an option to display the current password policy to the user prior to a
|
||||
password change. Indeed, this could be tedious because of the localization.
|
||||
|
||||
Displaying the policy is crucial, especially for users with expired passwords
|
||||
that must change them upon logging, because they can't have access to the
|
||||
system to learn the policy before changing their passwords. This often results
|
||||
in frustrated users trying to "discover" the policy by trials and errors.
|
||||
|
||||
Sadly, most sysadmins I met forget to display that policy, or just do not know
|
||||
how to do it.
|
||||
|
||||
One response is to use `pam_echo`. This module displays on screen the content
|
||||
of a file and it can do so in all four PAM phases (account, auth, password, and
|
||||
session). With `pam_echo`, system administrators can just write down in the
|
||||
natural language of their users what the password policy is, and display it
|
||||
using a well-positioned call to `pam_echo`.
|
||||
|
||||
For instance, on my debian system, I edited /etc/pam.d/common-password and I
|
||||
added just before the line about `pam_unix`:
|
||||
|
||||
```
|
||||
password optional pam_echo.so file=/etc/password_policy
|
||||
```
|
||||
|
Loading…
Reference in a new issue