45 lines
1.7 KiB
Markdown
45 lines
1.7 KiB
Markdown
---
|
|
title: "Displaying Password Policy before Password Change"
|
|
description: "How to display the password policy that applies to a user before a password change"
|
|
author: "Florian Maury"
|
|
date: 2022-05-26T16:30:00Z
|
|
categories:
|
|
- linux
|
|
tags:
|
|
- linux
|
|
- pam
|
|
- security
|
|
- sysadmin
|
|
lang: en
|
|
---
|
|
|
|
On a multi-user system, one may not trust users to choose strong passwords.
|
|
Thus, one can setup up a password policy. On linux systems using <abbr
|
|
title="Pluggable Authentication Module">PAM</abbr>, this can be done with
|
|
`pam_cracklib`.
|
|
|
|
While `pam_cracklib` does an excellent job, with many options, it does not have
|
|
an option to display the current password policy to the user prior to a
|
|
password change. Indeed, this could be tedious because of the localization.
|
|
|
|
Displaying the policy is crucial, especially for users with expired passwords
|
|
that must change them upon logging, because they can't have access to the
|
|
system to learn the policy before changing their passwords. This often results
|
|
in frustrated users trying to "discover" the policy by trials and errors.
|
|
|
|
Sadly, most sysadmins I met forget to display that policy, or just do not know
|
|
how to do it.
|
|
|
|
One response is to use `pam_echo`. This module displays on screen the content
|
|
of a file and it can do so in all four PAM phases (account, auth, password, and
|
|
session). With `pam_echo`, system administrators can just write down in the
|
|
natural language of their users what the password policy is, and display it
|
|
using a well-positioned call to `pam_echo`.
|
|
|
|
For instance, on my debian system, I edited /etc/pam.d/common-password and I
|
|
added just before the line about `pam_unix`:
|
|
|
|
```
|
|
password optional pam_echo.so file=/etc/password_policy
|
|
```
|
|
|