password verification verify password of a user for only first 8 characters

UNIX for Advanced & Expert Users
1

Helo ,
I m using linux pam library for user and its password authentication.
I m creating new user and giving its password.I m giving password of 10 characters.now when I login in as that newly created user its ask me

$ su - ram
Password:
You are required to change your password immediately (root enforced)
Changing password for ram
(current) UNIX password:
I m giving my current passwd

(new) Password :

I m giving my new passwd of 10 characters.

Now i m log off and again login as that user

Now when I give my password more only first 8 characters then also It allows me to login

how come this happen?

I also observed that it verify the password for first 8 characters.

can you tell me how to overcome this problem.

Regards,
Amit

2

Check this file:
/etc/pam.d/common-password

Look for:
password required pam_unix.so nullok obscure min=4 max=8 md5

Linux systems have 256 character limit. Also, you can change and/or extend the limit to 10 characters in Unices (I think!).

HTH,

Sorry for all these edits....
Nitin :b:

3

Hi nitin thx for reply.

I have check thhe entry of file passwd in /etc/pam.d . the entrty for this is:

#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth

so how do I change passwd limit

4

also see my /etc/pam.d/system-auth entry are given bewlo

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

5

Sorry buddy for the delayed response. Can you do an ls -l on this dir:
/etc/pam.d
I'm looking for /etc/pam.d/common-password file. Anyhow, I'm guessing that this line in /etc/pam.d/system-auth may be the key:

 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow

I'll try to find out more on it.

-Nitin

6

I think I'm pretty sure that you can set the password limit here, in your /etc/pam.d/login file (you will have to add this line below):

 password   required   pam_unix.so nullok obscure min=4 max=8

You can change max value to whatever you want. Going through man pages, max is not documented, but the functionality is there. Also, before any changes make sure you backup your files.

-Nitin :slight_smile:

7

Hi Nitin thx for your reply.

/etc/pam.d/passwd file contains following(its passwd file not common-passwd)

#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

My problem is that suppose create a user and give a 12 character password . It will accept this password.

But when I logg off and again login and now I give first 8 character then only It will accept password. So it menas it validates only first 8 character.

yr help will be highly appreciated.
Regards,
Amit
A

8

helo nitin I have added above line

password required pam_unix.so nullok obscure min=6 max=15

in /etc/pam/d/login and I have also line

password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5

but still it not working

it validates the password upto 8 character only

Regards,
Amit

9

For RedHat at least, I think you need to run:
authconfig --passalgo md5
to switch from descrypt to md5. But I have never done that.

10

when i used on the command prompt:

authconfig --passalgo md5

$ authconfig --passalgo md5
authconfig: bad argument --passalgo: unknown option

Regards,
Amit

11

You will have to install the authconfig package.
RPM package:
authconfig-4.6.10-rhel4.1

In Ubuntu, just do:

apt-get install authconfig

HTH,
Nitin

12

Hi nitin,

I already have install following package installed on my system.

$ rpm -qa |grep authconfig
authconfig-4.6.10-rhel4.3

more -ever It accept more than 12 character password but when it validates only first 8 character password. I mean suppose I give new password more than 12 character and log off . when I login again and give only first 8 character then also it accept. it means it verify only first 8 character.
so workaround near validation .

yr help will be appreciated.
Regards,
Amit

13

Amit,
Can you check to make sure you are using MD5? You can find out if you are using MD5 cipher by looking at the encoded password string in your /etc/shadow file. If it starts with $1$ and is 34 characters long, then it is an MD5-based format. DES format is shorter, it is only 13 characters long. MD5 is default, but may have been changed during install etc.

Also, are these users being authenticated locally or by LDAP? If it's LDAP, then you will have to talk to your LDAP admin.

Other than that I'm out of ideas.....

-Nitin