How do I enable long passwords?

How do I enable long passwords?


Author: Eddie Kuns
Email: ekuns@kilroy.chi.il.us

System Architecture: All/General
RedHat Release: RHL 5.1 (Manhattan)
FAQ Category: Security and Encryption
Modification Date: Nov 16, 1998

Question:

Red Hat Linux, out of the box, only pays attention to the first eight
characters of a user's password.  It would be nice to allow longer
passwords, both for security and for people used to OS's (like VAX/VMS)
allowing longer passwords.  (VMS allows 12 characters.)

Answer:

First, you want to enable shadow passwords.  You want to do this for many other
reasons.  It is trivial to enable (from Red Hat 5.0 on, I believe, and perhaps
also from earlier versions) and requires no additional maintenance or
understanding.

Check to be sure you have the shadow-utils package installed:

   $ rpm -q shadow-utils

If you do not have this package installed, you must install it before
continuing.  Once installed, login as root -- using "su" is sufficient --
and run

   $ /usr/sbin/pwconv

Now you are using shadow passwords.  This means passwords are now stored in
the file /etc/shadow rather than /etc/passwd, indicated in /etc/passwd by 
replacing encrypted passwords with the single character 'x'.  Red Hat 5.1
(and I believe 5.0 ... possibly earlier versions) comes ready for shadow
passwords in that you don't need to edit any PAM configuration files, found
in /etc/pam.d/* (or /etc/pam.conf for older versions of PAM).  The way to
check this if using Linux 5.0 or before -- I have 5.1 installed and thus
can't check earlier versions -- is:

   $ grep '^auth.*pwdb' /etc/pam.d/*

   $ grep '^password.*pwdb' /etc/pam.d/*

most -- not all -- programs requiring authentication should have a line like:

   auth       required     /lib/security/pam_pwdb.so shadow nullok

   password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok


The only exception on my system is that "su" does not have the "nullok"
option for either grep and, oddly enough, "passwd" does not have "shadow" as
an option for the second grep.  It's possible that I added some unnecessary
"shadow" options at some point in the past.

If your PAM configuration files are different, I would first recommend
upgrading the pam and pamconfig RPMs to the most recent updates appropriate
for your distribution.


Once you have changed your system to use shadow passwords, instruct PAM to
use MD5 encryption for passwords.  To do this, you will need to edit files
in /etc/pam.d ... I may have gone overkill by editing chfn, chsh, login,
passwd, rlogin, su, and xdm in that directory.  Basically, on the lines that
say

   password required /lib/security/pam_pwdb.so ...list of options...

make sure the option "md5" is present.  Don't *remove* any options.  Simply 
add "md5".  For example, here is my /etc/pam.d/passwd file:

   #%PAM-1.0
   auth       required     /lib/security/pam_pwdb.so shadow nullok
   account    required     /lib/security/pam_pwdb.so
   password   required     /lib/security/pam_cracklib.so retry=3
   password   required     /lib/security/pam_pwdb.so use_authtok md5 nullok


After you do this, you should use "passwd" to change each user's password.  
(This may not be a necessary step, but since I have so very few users on my 
system, it was trivial.)

I believe that if you use md5 encryption passwords can be up to 32 
characters long.  Making this change was easy and quick and has been 
flawless.

If any of the steps I mention are unnecessary, please let me know so I can
update this FAQ question.

References:

 man 1 passwd
 man 5 shadow
 man 5 passwd
 man pwconv
 dir /usr/doc/pam*