Guidance using pam_passwdqc module and Army Regulation 25-2

William Brower wbrower at ll.mit.edu
Wed Jun 2 23:09:49 UTC 2004 

Can anyone provide guidance concerning how to integrate the pam_passwdqc 
module with FC1 or FC2 ? I'll admit to not being a PAM expert, but I 
have RTFM, but still no luck. Some details:

1) pam_passwdqc can be found here: http://www.openwall.com/passwdqc/
I downloaded and installed the module - things went cleanly and the 
module was installed in /lib/security/pam_passwdqc.so

2) I tried modifying /etc/pam.d/system-auth to look like this
(I know there is a warning about file autogeneration, but frankly, the 
/etc/pam.d/passwd file seems to direct all real action to this file - 
should I just modify the /etc/pam.d/passwd file instead??)

OLD:
password  required   /lib/security/$ISA/pam_cracklib.so retry=3 type=
password  sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok 
md5 shadow
password  required   /lib/security/$ISA/pam_deny.so

NEW:
#password required   /lib/security/$ISA/pam_cracklib.so retry=3 type=
password required   /lib/security/$ISA/pam_passwdqc.so
password sufficient /lib/security/$ISA/pam_unix.so nullok use_first_pass 
md5 shadow
password required  /lib/security/$ISA/pam_deny.so

Please ignore possible line-wrap on "md5 shadow" lines above.

The above fails with:

[testuser at sloth testuser]$ passwd
Changing password for user testuser.
passwd: Authentication token manipulation error


Here is my goal. Maybe I can reach it another way entirely:
I'm trying to see if I can't make FCx automatically compliant with a new 
Army regulation (AR25-2) which provides specific password guidance, 
including the number of required characters from each character set 
(lower case, upper-case, numbers, punctuation), password length, etc. 
The regulation can be found here (see section 4-12: Password control):

XML: http://docs.usapa.belvoir.army.mil/jw2/xmldemo/r25_2/cover.asp
PDF: http://www.usapa.army.mil/pdffiles/r25_2.pdf

In a nutshell, the relevant parts are:

 >e. Generate passwords as follows —
 >
 >(1) The minimum requirement is a 10-character case-sensitive password. 
 >Passwords or phrases longer than 10 characters are recommended when 
 >supported by the IS. Password expiration will be not more than 150 >days.
 >
 >(2) The password will be a mix of uppercase letters, lowercase 
letters, >numbers, and special characters, including at least two of 
each of the >four types of characters (for example, x$TloTBn2!) and can 
be user >generated.
 >
 >(3) Enforce password policy through implementation or enhancement of 
 >native security mechanisms.
 >
 >(4) Passwords will not include such references as social security 
 >numbers (SSNs), birthdays, USERIDs, names, slang, military acronyms, 
 >call signs, dictionary words, consecutive or repetitive characters, 
 >system identification, or names; neither will they be easy to guess 
 >(for example, mypassword, abcde12345).
 >
 >(5) Password history configurations will prevent reutilization of the 
 >last 10 passwords when technically possible.
 >

Any help you can offer would be appreciated.

Finally, would FC consider adding this module? I think a few distros 
have done this. Having an out-of-box AR25-2 compliant system would be 
pretty great from the Army's point of view!

Thanks!
Bill

-- 
William Brower
MIT Lincoln Laboratory
Reagan Test Site, Kwajalein, Marshall Islands
p: 805.355.1310
f: 805.355.1701

More information about the fedora-selinux-list mailing list