Configuring PAM with libcrack

From Security Wiki
Jump to navigationJump to search

This page explains how to configure your *nix system to make use of libcrack when a user selects a password. The directions are specifically for use with PAM on Linux, other version of Unix may require different configuration.


Preventing compromise of user accounts relies on all accounts having passwords that are not easily guessable.

Attackers on the Internet regularly use automated tools, often called "ssh scanners," which attempt to log in to systems using a wide selection of commonly known usernames and a set of passwords, mostly dictionary words. The scanner additionally tries using the username as the password (e.g. username "john" and password "john"). SDSC systems networks undergo these attacks daily; choosing a weak password for an account will result in a compromise of that account.

Additionally, when an attacker gains access to a system, he/she will often steal encrypted passwords from the /etc/shadow file and attempt to determine passwords to accounts by running a program such as [Crack, which takes a large dictionary of words, encrypts them, and matches the result against what is stored in the shadow file. Crack also tries common variations of words, such as substituting 1 (one) for l (ell), $ for S, etc.

Many security tutorials suggest rules for password creation, such as including punctuation, etc. But fending of ssh scans and crack attempts can be fended off simply by preventing users from choosing passwords from the dictionary that attackers use.

Cracklib is an api for Crack, which can be invoked via PAM to force password changes to refuse to accept any password that Crack will match.


Before configuring pam, the crack libraries and dictionary must be installed. Some linux distros have packages available which provide the necessary libraries. On Fedora (8 at this writing),the required packages are cracklib and cracklib-dicts. However, those packages are dependencies of the pam rpm, so they are probably already installed but not configured.

If no packages are readily available, the source for cracklib and dictionary are available at sourceforge. Follow the instructions in the README file.

General information on PAM including the syntax of configuration files can be found here.

Configuring PAM

NOTE: Whenever making configuration changes to PAM, always keep at least one window or session logged in until you have completed testing. Making errors in PAM configuration can result in the inability to log in at all. Also make backup copies of files before editing, for easy reversion to the original state.

Locating the configuration file

PAM configuration files usually reside in /etc/pam.d. The particular file to edit varies with versions and distributions of *nix. Examples suggest /etc/pam.d/passwd, but in Fedora 8, that file simply includes /etc/pam.d/system-auth. Generally the necessary file will already have a line similar to

password    sufficient

(note that the word "sufficient" may be different. The key arguments are "password" at the beginning and "")

Edit the config file

Directly above the line described above, add the following line (use a "\" to break the line across multiple lines if desired):

password  required retry=3

This entry tells PAM to require that the password match cracklib restrictions. The "retry=" argument specifies how many times to allow the user to try another password.

The resulting two lines should look like this:

password  required retry=3
password  sufficient

Documentation on additional arguments can be found at here, although the most current source of documentation is probably contained with the source. If you have built and installed cracklib yourself, you may have to additionally specify the location of the dictionaries that cracklib uses.


Test by running the "passwd" program and entering a simple dictionary word. The password program should refuse to accept the word, and provide some feedback as to why not.


If installing cracklib on a system which already has user account installed, have all existing users change their password. If users do not voluntarily change their password, change it for them and then let them choose a new password. Be careful to also check accounts created for various services, such as "oracle," "mysql," "httpd," etc.