Hi All,

I'm currently running a Web Hosting firm in Singapore, and things have been flowing smoothly. Currently, I've written a password changing script in CGI, and it works fine.

However some of my customers complained that the password changing script is complaining that their passwords are based on a dictionary word, too short etc etc.

I traced the problem, and found it lies with /usr/bin/passwd. It requires a user to change a password that are not too short and are NOT baed on a dictionary word.

Is it possible for me NOT to have this? I would like my customers to be able to change to any password they like. Is there anyway I can find out more information about this?

Thanks for any assistance.

The servers are based on RedHat 7.2.

Hello all,

To solve my problem you will need to do the below-mentioned.


Originally quoted by Darell Tan

The following describes a Redhat Linux 7.2 system.
In /etc/pam.d/passwd, an entry says stack "system-auth". So, look under /etc/pam.d/system-auth.

In /etc/pam.d/system-auth, you will see a line saying

password required /lib/security/pam_cracklib.so retry=3 type=

This checks the password against dictionaries and stuff. Just comment out this line with #, and ensure that you remove the "use_authtok" in the following
line so that it reads:

password sufficient /lib/security/pam_unix.so nullok md5 shadow

This will fix your problem, although i would recommend to keep it intact.

I strongly suggest you leave alone the PAM settings, it may open up a lot of security problem. Also it is a good idea to enforce a good password to your user.

To supress the /usr/bin/passwd complaints, you need to run /usr/bin/passwd as root. And if you are using it non interactively, take a look at --stdin option on the man page.

Originally posted by priyadi
I strongly suggest you leave alone the PAM settings, it may open up a lot of security problem. Also it is a good idea to enforce a good password to your user.

To supress the /usr/bin/passwd complaints, you need to run /usr/bin/passwd as root. And if you are using it non interactively, take a look at --stdin option on the man page.

Hi, I understand the importance of a strong password, but sadly, my customers did not. I tried to explain this to them, and they are saying that it brings them great inconvenienced.

I figured that since I did not allow them any form of shell access, it should be alright. Thanks for the assitance though

just ask them if its ok for people to be able to easily break into their web sites, change their content, remove their content and generally undermine the integrity of their organisation.

Imagine how stupid people look when their site is hacked, thats how stupid they themselves would look in the eyes of their clients.

Make sure you let them know you wont be held responsible for any defacements on their sites due to their requests if the checks are removed.

And also tell them you would be surprised if their site were still up in a month if they choose an insecure password...