PAM cracklib configuration on Debain

I'm trying to configure cracklib on Debain but somewhere its not working as expected.

sudo apt-get install libpam-cracklib

root@debian:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster
root@debian:~# cat /etc/pam.d/common-password | grep '^[^#]'
password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-2 dcredit=-2 ocredit=-2
password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
password	requisite			pam_deny.so
password	required			pam_permit.so
password	optional	pam_gnome_keyring.so
root@debian:~# dpkg -l | grep pam
ii  bogofilter                            1.2.4+dfsg1-13                               amd64        fast Bayesian spam filter (meta package)
ii  bogofilter-bdb                        1.2.4+dfsg1-13                               amd64        fast Bayesian spam filter (Berkeley DB)
ii  bogofilter-common                     1.2.4+dfsg1-13                               amd64        fast Bayesian spam filter (common files)
ii  libpam-cracklib:amd64                 1.3.1-5                                      amd64        PAM module to enable cracklib support
ii  libpam-gnome-keyring:amd64            3.28.2-5                                     amd64        PAM module to unlock the GNOME keyring upon login
ii  libpam-modules:amd64                  1.3.1-5                                      amd64        Pluggable Authentication Modules for PAM
ii  libpam-modules-bin                    1.3.1-5                                      amd64        Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime                        1.3.1-5                                      all          Runtime support for the PAM library
ii  libpam-systemd:amd64                  241-7~deb10u8                                amd64        system and service manager - PAM module
ii  libpam0g:amd64                        1.3.1-5                                      amd64        Pluggable Authentication Modules library

In the configuration file common-password, minimum length (minlen=8) but this is not the case, when setting password 6 digits only still able to set password.

root@debian:~# sudo passwd testing
New password: 
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password: 
passwd: password updated successfully

But this is not the case of configuring PAM and enforcing password rules.

Hello,

I suspect this is happening because by default password policies are not applied to the root user account. For root you'll still get all the warnings for a non-compliant password (password too short, password based on a dictionary word, etc.), but the system will then go ahead and set that password anyway. Do you find that your policies are enforced if you try changing the password on a regular non-root account ? If so, then your policy is currently working as expected.

If you do want to apply a password policy to the root account, then you generally need to specify the enforce_for_root option in the configuration for any PAM modules which support this facility.

Hope this helps ! If not please let us know, and we can take things from there.

@drysdalk - Thanks

Actually we have machines where cracklib is already there and running but it's not working as expected. The issue is instead of password rules but when changing the root password giving message like password short and password unchanged but password actually changed same case for non-root user.

So if check the config of common-password where it's not working as expected

root@debian:~# cat /etc/pam.d/common-password | grep '^[^#]'
password	required			pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 enforce_for_root 
password	required			pam_pwhistory.so remember=4 enforce_for_root
password	required			pam_unix.so obscure use_authtok try_first_pass sha512
password	sufficinet			pam_sss.so use_authtok

so for testing i installed a vm with Debian10 as per our other machines and installed libpam-cracklib on it and set password rules and its working as expected.

so here the config on the new machine just for testing:

root@debian:~# cat /etc/pam.d/common-password | grep '^[^#]'
password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 enforce_for_root 
password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
password	requisite			pam_deny.so
password	required			pam_permit.so
password	optional	pam_gnome_keyring.so

So my concern is why its not working with existing machine, is it something with library or config ? Where to look for troubleshoot ?
thanks

Hi @reach2me,

there is a difference in the 2nd filed in the pam_cracklib.so lines. You could replace required by requisite on the non-working system. This changes the behaviour of the pam auth process when a (sub)module returns an error. See man pam.conf.