1

I am trying to place a restriction on my ssh box to require a password of a min. length of 16 character and a max. of 30.

I was following the Password policy section, in the official user documentation and set the following in /etc/pam.d/common-password:

password        [success=1 default=ignore]      pam_unix.so obscure min=16 max=30 sha512

However when I turn on ssh, as a regular user, and go to change my password via passwd, I am restricted to a minimum of only 8 characters.

Would anyone have any ideas as to why the min. of 16 is not being recognised or it was something I have overlooked?

OS is Ubuntu Server 10.04.

David M. Sousa
  • 861
Jan Geep
  • 1,997
  • Take a look at this question too: http://askubuntu.com/questions/180402/how-to-set-a-short-password-on-ubuntu/180431#180431 It seems somehow related. – NlightNFotis Sep 06 '12 at 08:12

1 Answers1

2

This is a bit old but for in order to help others here's what I've found.

minlen is not just a basic character length restrictor, it it more a score that takes a number of criteria into account

source:

The minlen complexity measure is calculated in a number of steps:

  • every character in a password yields one point, regardless of the type of character
  • every lowercase letter adds one point, but only up to the value of lcredit
  • every uppercase letter adds one point, but only up to the value of ucredit
  • every digit adds one point, but only up to the value of dcredit
  • every special character adds one point, but only up to the value of ocredit

What I was seeing was a minlen of 16 allowing passwords of 8 characters as I was getting 2 points per character typed.

This is also documented in man 8 pam_cracklib:

The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should not use this module.

djeikyb
  • 30,245
Jan Geep
  • 1,997
  • I doubt that is the case. Have you tried rebooting the machine and then see what happens when you attempt to change the password? – NlightNFotis Sep 06 '12 at 08:13