CrackLib was a follow-up version of the libCrack password checking library and is licensed under the LGPL. With sys-libs/pam-1.4.0 it has been deprecated in favor of sys-auth/passwdqc. See PAM for current configuration.
cracklib USE flag to /etc/portage/make.conf and re-emerge world to update any package that include support for CrackLib:
emerge --changed-use @world
Verify these two packages are installed:
Now create a database:
Unix password policy
SAMBA passwords policy
pdbedit is a tool that can be used only by root. It is used to manage the passdb backend, as well as domain-wide account policy settings. pdbedit can be used to:
- Add, remove, or modify user accounts.
- List user accounts.
- Migrate user accounts.
- Migrate group accounts.
- Manage account policies.
- Manage domain access policy settings.
Commands will be executed to establish controls for our domain as follows:
- Min password length = 8 characters.
- Password history = last 4 passwords.
- Maximum password age = 90 days.
- Minimum password age = 7 days.
- Bad lockout attempt = 8 bad log on attempts.
- Lockout duration = forever, account must be manually re-enabled.
The following command execution will achieve these settings:
pdbedit -P "min password length" -C 8
account policy value for min password length was 5 account policy value for min password length is now 8
pdbedit -P "password history" -C 4
account policy value for password history was 0 account policy value for password history is now 4
pdbedit -P "maximum password age" -C 7776000
account policy value for maximum password age was 4294967295 account policy value for maximum password age is now 7776000
pdbedit -P "minimum password age" -C 604800
account policy value for minimum password age was 0 account policy value for minimum password age is now 7
pdbedit -P "bad lockout attempt" -C 8
account policy value for bad lockout attempt was 0 account policy value for bad lockout attempt is now 8
pdbedit -P "lockout duration" -C -1
account policy value for lockout duration was 30 account policy value for lockout duration is now 4294967295
Next crackcheck can be used to check complicity of passwords:
Unpack samba-*.tar.gz and cd to examples/auth/crackcheck. Then compile it:
Copy this to somewhere more sensible:
cp crackcheck /usr/local/sbin
Edit Samba's configuration file:
check password script = /usr/local/sbin/crackcheck -s -d /usr/lib/cracklib-dict
Reload samba configuration: