I am configuring password rules in linux system(RedHat Enterprise linux 5). By google, I found that using pam_cracklib will make simple check automatically. That is, pam_cracklib will automatically check if the new password is the reverse one of the previous password. If yes, it will reject the new password.
However, I tried a new password just the reverse of the previous one, the new password can take effective! That is, pam_cracklib will allow the new password(reverse of the previous one). Here is my configuration:
/etc/pam.d/system-auth:
password required pam_cracklib.so try_first_pass retry=3 minlen=6
Could anyone tell me if there is something wrong with my configuration? Or there are some bugs with pam_cracklib?
Thanks a lot!
You can't use
try_first_passwith cracklib. It should check whatever the password is a palindrome or rotation of old password by default.What's more, other modules (probably pam_unix.so or pam_ldap.so) in the stack must use the
use_authokflag or they will be allowed to ask the user for password if previous module didn't accept the provided password.In short, try:
The
nullokflag tells the module it's OK to change password from an empty one (the usual method of forcing a password change in UNIX systems), you can remove it if you don't use this functionality.