Debian redhat and cracklib

From Studiosg
Jump to: navigation, search

Welcome to Simone Giustetti's wiki pages.

Languages: English - Italiano


In a recent article I introduced cracklib a small library of C functions aimed to check password strength against dictionary based attacks. Cracklib-check, the command line tool performing the actual checks, was also introduced along with some tips regarding its use. I concluded the article with the suggestion to integrate the check with the authentication system in order to bypass the intrinsic limitations provided by an interactive program. In a later article I explained how to integrate cracklib with shadow password, the authentication system used by Slackware Linux. Slackware is not the only available Linux flavor, nor the most widespread: a title held by other distributions. Almost all of the available Linux distributions share common roots that can be grouped into 4 main families:

  • Debian Gnu Linux
  • Gentoo Linux
  • Red Hat Linux
  • Slackware Linux

Whether you are a common user or a system administrator, the procedure to integrate cracklib in the largest number of existing Linux distributions is a must know in order to take advantage of the benefits offered by the library.

In this article I will discuss how to integrate cracklib with the authentication subsystems of Debian Gnu Linux and Red Hat Linux. More or less 90% of existing Linux distributions are derived from those two as a consequence, after reading the article you'll be able to automate password checking and improve the safety of any system.

Tie Cracklib to the Debian Gnu Linux Authentication System

Debian or Red Hat based distributions default to PAM as authentication system therefore the cracklib library cannot be directly integrated with the credentials management programs. Cracklib integration requires a dedicated PAM module: pam_cracklib which must be installed and configured.

To install the module run command:

  root@system # apt-get install libpam-cracklib

that will download and install both the package and all of its eventual dependencies. Subsequently the module will have to be be configured and integrated with the authentication system. The behavior of every PAM module can be configured by modifying a specific system file; all files are saved in the /etc/pam.d folder. To enable the cracklib library provided checks you need to configure file /etc/pam.d/common-password. The task requires administrator privileges or the use of command sudo since you are dealing with a system file.

  root@system # vi /etc/pam.d/common-password

Open the file with a text editor of your liking, I usually use vi, and search for a line resembling:

  password         requisite retry=3 minlen=8 difok=3

If the line is not present, add it as it configures the default behavior of the authentication system as well as enabling the use of cracklib. The configuration above sets:

  • A maximum of 3 login attempts (retry).
  • A minimum password length of 8 characters (minlen).
  • Every new password should differ from the previous one for 3 characters at least (difok).

Update the configuration line adding some more options to ensure stricter password checks; add for example:

  password         requisite retry=3 minlen=16 difok=3 ucredit=-1 lcredit=-2 dcredit=-2 ocredit=-2


  • A maximum of 3 login attempts (retry).
  • A minimum password length of 16 characters (minlen).
  • Every new password should differ from the previous one for 3 characters at least (difok).
  • Every new password requires at least 1 uppercase character (ucredit).
  • Every new password requires at least 2 lowercase characters (lcredit).
  • Every new password requires at least 2 numbers (dcredit).
  • Every new password requires at least 2 special characters (ocredit).

The minimum length set may appear too much, but please concede it for now. All will be explained in a later paragraph.

The cracklib library uses dictionary files located in directory /var/cache/cracklib. Dictionaries in Debian are updated nightly by script /usr/sbin/update-cracklib. If you want to make updates or new dictionaries immediately available, run the script with administrator privileges. The script accesses some directories in search of input files:

  • /usr/local/dict.
  • /usr/local/share/dict.

To add words to a dictionary just write it in one of the text files located in the aforementioned directories or add a new custom dictionary. The file format was discussed in an earlier article. You can even add customized paths where to look for word files adding them in system file /etc/cracklib/cracklib.conf.

Tie Cracklib to the Red Hat Linux Authentication System

As mentioned above, the Red Hat distribution and its derivatives like CentOS or Fedora use the PAM authentication system. Considerations analogous to Debian and its derivatives like Ubuntu apply. You'll have again to install and configure the pam_cracklib module to enable automatically checking passwords against a dictionary of terms target for filtering and exclusion.

The module as well as the library it relies on should be included in the base system. If for whatever reason they were not installed, You can fix the system running with administrator privileges command:

  root@system # yum install cracklib

that will download and install the library and its dependencies. After the installation is concluded, configure the module updating file /etc/pam.d/system-auth according to your needs. Being a system file, administrator privileges are required to read and write it. The standard configuration consists of the following two lines:

  password         required         retry=3 minlen=6 difok=3
  password         required             md5 use_authtok

The first line enables some default requirements:

  • A maximum of 3 login attempts (retry).
  • A minimum password length of 6 characters (minlen).
  • Every new password should differ from the previous one for 3 characters at least (difok).

The second line enables the UNIX default authentication system and disables its internal checks (use_authtok) that duplicate the ones performed by the cracklib library. Passwords checked and approved by cracklib will be ignored by the pam_unix module without further checks.

The first line should be updated in order to add some more checks resulting in stronger user passwords. A parameter in need of an update is of course minlen: the minimum length of a lowercase only password. We'll adopt a configuration similar to the Debian one above:

  password         required         retry=3 minlen=16 difok=3 ucredit=-1 lcredit=-2 dcredit=-2 ocredit=-2
  password         required             md5 use_authtok

resulting in an increased minimum length for a password and adding requirements for using a combination of uppercase and lowercase letters as well as numbers and special characters.

The default dictionary used by a Red Hat system is located in directory /usr/lib or /usr/lib64 for 64 bit architectures and named cracklib_dict. Red Hat and derivatives as well as Debian and Slackware Linux provide check customization by adding words to the dictionary. There is no script or other mean to automate the operation. Below is described the procedure to manually add words to the dictionary:

  • Move into directory /usr/share/cracklib where word files are stored candidate for conversion into a dictionary.
  cd /usr/share/cracklib
  • Unpack the default dictionary creating a new word file:
  cracklib-unpacker /usr/lib/cracklib_dict > ./pw_dict

The command will read the active dictionary extracting words and saving them in a text file for later update through an editor of choice. After adding words to the list you'll have to pack it again in the binary format used internally by cracklib:

  sort pw_dict | cracklib-packer /usr/lib/cracklib_dict

How to Compute the PAM Minimum Password Length Avoiding Its Pitfalls

I previously introduced some of the parameters used to configure the minimum accepted password length in PAM. The subject is somewhat tricky and requires some words to explain. The minlen parameter configures the minimum length for a lowercase only password. A password consisting of lowercase characters only is easier to guess than one including a wider range of characters. A combination of lowercase and uppercase characters, numbers and special characters grants bonus credits when computing the strength of a password as a consequence a system can accept passwords that are shorter than the value set for minlen, for example passwords that are 8 characters long with minlen set to 12. For the game of bonuses the minimum accepted length of a password is always minlen - 1. Bonus credits can be obtained using some of the following parameters:

  • dcredit: Credits for using numbers.
  • lcredit: Credits for using lowercase characters.
  • ocredit: Credits for using symbols / special characters.
  • ucredit: Credits for using uppercase characters.

For example the parameters string "lcredit=0 ucredit=1 dcredit=1 ocredit=2" assigns 1 bonus credit when the user sets at least one uppercase character, 1 bonus credit for numbers and one last bonus credit when using at least 2 special characters. Negative values for the four parameters are accepted and have special meaning. Negative values force users to use at least a minimum of characters of a certain type. The string "ocredit=-2" requires, for example, each user to set at least two special characters in the passwords.

Concluding the minlen parameter must be set to a value greater than the desired minimum password length. The greater the complexity of the password, the greater the parameter value must be in order to obtain the desired minimum length.


Cracklib is an useful tool to increase the security of a Linux / UNIX PC or Server. Adding cracklib provided checks to the authentication system of any Linux distribution enables every user to automatically use it with no further effort. This article described in detail how to integrate cracklib with PAM: the standard adopted by Debian Gnu Linux, Red Hat Linux and all their derivatives like CentOS, Fedora, Ubuntu and hundreds more. Dictionary customization is a key part in making the system more secure and was discussed in the body of the article as well. In this regard, specific care was put in providing information for both the Debian and Red Hat distribution families. Finally, some effort went into explaining how the minimum allowed length of a password in PAM is calculated, a deceptively trivial computation that can confuse a newbie inducing her/him into setting too small a value. Anyone interested in learning more about the topics discussed is strongly encouraged to consult the cracklib, PAM and preferred distribution documentation.

For any feedback, questions, errors and such, please e-mail me at studiosg [at] giustetti [dot] net

External links

Languages: English - Italiano