Hi all!
I'm trying to use pam_cracklib to manage my password policy on media gate, but something goes wrong.
Here are the steps I follow:
Configure downloaded OpenWrt with make menuconfig, add pam_cracklib to the set.
Start build by make.
Await for build finish, edit /etc/pam.d/common-password so it looks like:
password required pam_cracklib.so sha512 retry=1 difok=-5 minlen=10 dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2 minclass=4 maxrepeat=2 maxclassrepeat=2 gecoscheck
password pam_unix.so use_authtok md5
Reboot.
Try change passwords by non root user with passwd and see no changes (my new politics doesn't affect on ability manage passwords, I just see old restrictions).
I also have tried:
create /etc/pam.d/passwd and copy there password required... string.
specify full path to library
manually move library in /lib/security
What do I wrong? How to ensure that cracklib is installed (except for the existense of the pam_cracklib.so file on media gate) and OpenWrt uses it?
Thanks.
OpenWrt comes with passwd (and most/all other utils concerning auth and passwords) provided by the busybox package, unlike more heavyweight GNU/Linux distributions, which use software and ship executables from other projects. These other projects do often support PAM, but busybox does not. So you may have the appropriate PAM library installed and its setup correct, but nothing in the system actually using it. I am actually not sure if passwd (et al.) are available with proper PAM support on OpenWrt (shadow-passwd seems to not require/link PAM, fwiw), but this is what you would need to make happen in order to use pam_cracklib.so or any other PAM module.
No can do, sorry - maybe my earlier post was not clear enough: It's not possible on OpenWrt, since its passwd implementation does not integrate any PAM mechanisms.
passwd from busybox (used in OpenWrt) performs some basic checks, such as password length in chars/bytes, and will warn about failing those - but it is not configurable via PAM with any cracklib-based rules, since system authentication credentials do not traverse the PAM stack.
Then again, there's no password-protected accounts in an OpenWrt system besides root, the webinterface should only be accessible from a perimeter network (i.e., your LAN), and you should not use password-based SSH login to the system, but pubkeys instead. So managing a policy for password complexity is not regarded an important thing on OpenWrt systems.
