User profile for user: Andrew F Pitre
Andrew F Pitre Author
User level: Level 1
0 points

password policy rule enforcement using PAM

I am attempting to enforce password rules using PAM.

The following line:
password required pam_cracklib.so lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

was added to:
/etc/pam.d/login
/etc/pam.d/passwd
/etc/pam.d/chkpasswd

The goal was to force users' passwords to have at least one upper case letter, one lower case letter, one numeric character, and one non-alphanumeric character. However after adding this line the "passwd" command does not enforce the rules.

I've had success with a similar strategy using linux but seem to have missed a step in transitioning to OS X. Can anyone help me with this?

- Andrew


Power Mac G4 Dual 1.25 Mac OS X (10.4.5)

Posted on Mar 15, 2006 7:51 AM

Reply
3 replies
User profile for user: Gary Kerbaugh
Gary Kerbaugh
User level: Level 6
18,040 points

Mar 15, 2006 11:09 AM in response to Andrew F Pitre

Hi Andrew,
According to the docs for pam_cracklib, 6.3 Cracklib pluggable password strength-checker, libcrack and a system dictionary are required. I think there's a dictionary in /usr/share/cracklib but I don't believe that libcrack is installed by default on the OS X client (I don't know about the server) so I wouldn't expect that module to be available. Furthermore, there's no pam_cracklib.so in /usr/lib/pam so I don't think it's going to be available to you unless you install the requirements and compile it yourself. For what it's worth, I think that I compiled libcrack once so compiling the module is not beyond the pale.

There also appears to be a crack dictionary in the resources of the SecurityInterface.framework. Thus, this may be something that Apple does internally, although I've seen no evidence of it.
--
Gary
~~~~
lighthouse, n.:
A tall building on the seashore in which the government
maintains a lamp and the friend of a politician.
Reply
User profile for user: biovizier
biovizier
User level: Level 5
7,931 points

Mar 15, 2006 3:26 PM in response to Gary Kerbaugh

I don't know if this will meet your needs, but another approach might be to try configuring "NetInfo" and enabling enforcement of "password policy" from there. There don't seem to be a whole lot of options, but keys such as ' requiresNumeric' (password must contain at least one number), ' requiresAlpha' (at least one letter), or ' minChars' (minimum length), plus a few that disable the account (eg. after a number of failed tries, or on a set date) seem to be at least partially functional based on some limited tinkering. I didn't see any options for forcing a requirement for "case" or symbols though. The rules can be set on a "per-user" basis, or globally, with the caveat that they won't apply to "admin" users.

This is where I heard about ' pwpolicy':
http://www.afp548.com/article.php?story=20040926173146494

There is also a ' man' page here:
man pwpolicy.

Reply
User profile for user: Nils C. Anderson
Nils C. Anderson
User level: Level 4
3,495 points

Mar 15, 2006 4:14 PM in response to biovizier

Strange, that pam_cracklib doesn't come on OS X. Since the source code is here:


http://www.opensource.apple.com/darwinsource/10.4.5.ppc/pam-14/pam/modules/pam_c racklib/

Go figure.

there may be more, but the only ones that I found are under /usr/lib/pam

pam_afpmount.so pam_nologin.so pam_securetty.so pam_uwtmp.so
pam_deny.so pam_permit.so pam_securityserver.so pam_wheel.so
pam_netinfo.so pam_rootok.so pam_unix.so

Message was edited by: Nils C. Anderson
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

password policy rule enforcement using PAM

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up