Password Quality Checking
The goal is to provide unified and configurable way to check quality of new passwords on the system.
- Name: Tomáš Mráz
- Email: email@example.com
- Targeted release: Fedora 17
- Last updated: 2011-12-12
- Percentage of completion: 70%
The current Fedora does not have a single configurable library that would be used for checking quality of new passwords used for the system accounts. When passwords are changed through the PAM (Pluggable Authentication Modules) with the passwd command pam_cracklib or pam_passwdqc modules are used for this purpose. However these modules are not used when new users are created on the system and it is not easy and straightforward to use the PAM modules for this purpose.
The goal of this feature is to provide a library with simple API that would be usable:
- from a PAM module that would be used instead of pam_cracklib or pam_passwdqc
- directly from any application that wants to check quality of new passwords not only for the system accounts but for any purpose
- to generate a random pronounceable password that fulfils the password quality requirements
The library libpwquality is already written and the package is built on Fedora rawhide. See Libpwquality
Benefit to Fedora
Fedora will have a single point where the system password quality limits are configured.
As the library is already done the remaining work is on porting the current applications that set/change passwords on user accounts. These applications are (non-exhaustive list):
- passwd (already done by replacing the default password quality checking PAM module in system-auth to pam_pwquality)
- system-config-users (patch written, feature bug report created)
- anaconda/firstboot (agreed on the change with Martin Gracik from anaconda team)
- GNOME/KDE password change dialogs
Future work will include configuration of some of the password quality limits with authconfig.
How To Test
Testing the feature is quite simple. Just install the Fedora and:
- verify that pam_pwquality is in the /etc/pam.d/system-auth and /etc/pam.d/password-auth
- verify that you can configure password quality limits in /etc/security/pwquality.conf and these limits are enforced when you try to change the password with passwd
- verify that various utilities in the system that create new users or allow changing user passwords enforce the same limits.
There will not be much change for the end-user experience. However the system administrators will now be able to easily set the limits for password quality on the system by editing a single configuration file.
Not much needed, the current experience with the change of the pam_cracklib to pam_pwquality is not changed much. So the contingency plan is to just not ship the changes in the other applications if they are not implemented.
- The API of the library is described in the pwquality.h header file.
- There is Python wrapper for the libpwquality named python-pwquality, see pydoc pwquality output.
- There are manual pages in the package.
- The user password quality limits are now configurable by changing the /etc/security/pwquality.conf configuration file.