From Fedora Project Wiki

Password Quality Checking

Summary

The goal is to provide unified and configurable way to check quality of new passwords on the system.

Owner

  • Email: tmraz@redhat.com

Current status

  • Targeted release: Fedora 17
  • Last updated: 2011-03-23
  • Percentage of completion: 100%

Detailed Description

The current Fedora does not have a single configurable library that would be used for checking quality of new passwords used for the system accounts. When passwords are changed through the PAM (Pluggable Authentication Modules) with the passwd command pam_cracklib or pam_passwdqc modules are used for this purpose. However these modules are not used when new users are created on the system and it is not easy and straightforward to use the PAM modules for this purpose.

The goal of this feature is to provide a library with simple API that would be usable:

  • from a PAM module that would be used instead of pam_cracklib or pam_passwdqc
  • directly from any application that wants to check quality of new passwords not only for the system accounts but for any purpose
  • to generate a random pronounceable password that fulfils the password quality requirements

The library libpwquality is already written and the package is built on Fedora rawhide. See Libpwquality

Benefit to Fedora

Fedora will have a single point where the system password quality limits are configured.

Scope

As the library is already done the remaining work is on porting the current applications that set/change passwords on user accounts. These applications are (non-exhaustive list):

  • passwd (already done by replacing the default password quality checking PAM module in system-auth to pam_pwquality)
  • system-config-users
  • anaconda/firstboot
  • GNOME/KDE password change dialogs (postponed to Fedora 18)

Authconfig supports setting some of the configurable parameters within the GUI and with command line options.

How To Test

Testing the feature is quite simple. Just install the Fedora and:

  • verify that pam_pwquality is in the /etc/pam.d/system-auth and /etc/pam.d/password-auth
  • verify that you can configure password quality limits in /etc/security/pwquality.conf and these limits are enforced when you try to change the password with passwd
  • verify that various utilities in the system that create new users or allow changing user passwords enforce the same limits.

User Experience

There will not be much change for the end-user experience. However the system administrators will now be able to easily set the limits for password quality on the system by editing a single configuration file.

Dependencies

  • GNOME/KDE
  • authconfig
  • anaconda/firstboot
  • system-config-users

Contingency Plan

Not much needed, the current experience with the change of the pam_cracklib to pam_pwquality is not changed much. So the contingency plan is to just not ship the changes in the other applications if they are not implemented.

Documentation

  • Libpwquality
  • The API of the library is described in the pwquality.h header file.
  • There is Python wrapper for the libpwquality named python-pwquality, see pydoc pwquality output.
  • There are manual pages in the package.

Release Notes

  • The user password quality limits are now configurable by changing the /etc/security/pwquality.conf configuration file.
  • Authconfig (system-config-authentication) tool now supports changing some of the settings within its GUI and with command line options.

Comments and Discussion