# Enforcing password quality with PAM



## fumanchu (Sep 14, 2021)

Hello,

I am trying to use PAM to enforce password quality and run into a strange issue... so I have a couple questions...

Okay, I am wanting to enforce password quality for all users all of the time.  With that, I have started out modifying /etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/sshd, and /etc/pam.d/system.  I added the following configuration line to each file...


```
password requisite pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 max=40 similar=deny retry=3 random=0 ask_oldauthtok enforce=everyone
```

I then create a user using the following commands in a .sh script like this...


```
yesterday=$(date -v -'1d' +'%d-%b-%y')
echo welcome1 | pw useradd -n support -c "Support User" -G wheel -s /bin/sh -m -h 0 -p ${yesterday}
```

I set it up like this so that the 1st time the user logs in, the system should force a password change using the rules that are setup in PAM...  Well that is what I thought would happen... but it does not quite work as I thought...

When the user logs in, I get...


```
login: support
Password: (I enter welcome1)
```

I immediately get


```
New Password:
```

I am not quite sure why, so I enter my new password...


```
New Password: (I enter 1234AbCd!)
```

And then I get...


```
You can now choose the new password.
A valid password should be a mix of upper and lower case letters,
digits and other characters.  You can use a 2147483647 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes.  Characters that form a common pattern are discarded by
the check.
Enter new password:
```

So, this brings me to my questions...

Why am I being asked this again since I just entered a new password?  This is odd to me...  I have not found a solution for this and thought I would ask here...  
2147483647 character long password... really?  I disabled all the checks except for N4... why would I get this?
Thanks,


----------



## eternal_noob (Sep 14, 2021)

fumanchu said:


> 2147483647 character long password... really?


Quantum computers need about 1 second to crack this. Better use a longer one.


----------



## mark_j (Sep 15, 2021)

The


> digits and other characters.  You can use a 2147483647 character long


is a bug. You should log this.

It's caused by not having a *NUMBER *in min position N3 that's valid.

When it encounters the word "disabled" it just converts to this (MAX_INT).

The module pam_passwdqc.c is checking for "disabled" and putting this insane value in. I guess the question is what is the "default" character length of a password that PAM would like to see and can be used as a default instead of 2147483647? That's a question for the developers.

Order is important with /etc/pam.d/passwd. Ensure your rule above is before the pam_unix.so
​


----------



## fumanchu (Sep 15, 2021)

Many thanks!  I will try and submit a bug...


----------



## fumanchu (Sep 15, 2021)

mark_j said:


> Order is important with /etc/pam.d/passwd. Ensure your rule above is before the pam_unix.so



I was able to modify /etc/pam.d/login, /etc/pam.d/passwd, /etc/pam.d/sshd, and /etc/pam.d/system as you suggested and put the extra configuration line in the correct order.  Now, when the _support_ user logs in, the system asks for the user for a password change using the newly specified rules...  This is good...


----------



## mark_j (Sep 15, 2021)

fumanchu said:


> Many thanks!  I will try and submit a bug...


Please do. If you would rather not, I will do it for you. Just ask.


----------



## fumanchu (Sep 16, 2021)

Okay, bug https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258535 has been submitted.


----------

