Using pam_cracklib in OpenWrt

Hi all!
I'm trying to use pam_cracklib to manage my password policy on media gate, but something goes wrong.

Here are the steps I follow:

  1. Configure downloaded OpenWrt with make menuconfig, add pam_cracklib to the set.
  2. Start build by make.
  3. Await for build finish, edit /etc/pam.d/common-password so it looks like:
    password required sha512 retry=1 difok=-5 minlen=10 dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2 minclass=4 maxrepeat=2 maxclassrepeat=2 gecoscheck
    password use_authtok md5
  4. Reboot.
  5. Try change passwords by non root user with passwd and see no changes (my new politics doesn't affect on ability manage passwords, I just see old restrictions).

I also have tried:

  • create /etc/pam.d/passwd and copy there password required... string.
  • specify full path to library
  • manually move library in /lib/security

What do I wrong? How to ensure that cracklib is installed (except for the existense of the file on media gate) and OpenWrt uses it?

OpenWrt comes with passwd (and most/all other utils concerning auth and passwords) provided by the busybox package, unlike more heavyweight GNU/Linux distributions, which use software and ship executables from other projects. These other projects do often support PAM, but busybox does not. So you may have the appropriate PAM library installed and its setup correct, but nothing in the system actually using it. I am actually not sure if passwd (et al.) are available with proper PAM support on OpenWrt (shadow-passwd seems to not require/link PAM, fwiw), but this is what you would need to make happen in order to use or any other PAM module.

1 Like

Can you please get me example of /etc/pam.d/common-password config with restrictions like

retry=1 difok=-5 minlen=10 dcredit=-2 ucredit=-2 lcredit=-2 ...

for passwd? Which file do I have to put it in?
Thank you in advance.

No can do, sorry - maybe my earlier post was not clear enough: It's not possible on OpenWrt, since its passwd implementation does not integrate any PAM mechanisms.

1 Like

Did I understand right that it's unable to manage password complexity on OpenWrt?

passwd from busybox (used in OpenWrt) performs some basic checks, such as password length in chars/bytes, and will warn about failing those - but it is not configurable via PAM with any cracklib-based rules, since system authentication credentials do not traverse the PAM stack.

Then again, there's no password-protected accounts in an OpenWrt system besides root, the webinterface should only be accessible from a perimeter network (i.e., your LAN), and you should not use password-based SSH login to the system, but pubkeys instead. So managing a policy for password complexity is not regarded an important thing on OpenWrt systems.

Thanks for advises :slight_smile: