Verify pam_pwquality module is activated

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

The pam_pwquality.so module ensures password quality by evaluating user-created passwords against a system dictionary and a set of rules designed to detect weak choices. Originally derived from the pam_cracklib module, this module is backward-compatible with options of pam_cracklib.

The module’s process includes prompting the user for a password, checking its strength, and if it meets the criteria requesting the password again for confirmation. If both entries match, the password is passed to subsequent modules to be set as the new authentication token.

Rationale

Strong passwords significantly increase the time and effort required for unauthorized access, increasing overall system security.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$'; then

conf_name=cac_pwquality
if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then
    cat << EOF > /usr/share/pam-configs/"$conf_name"
Name: Pwquality password strength checking
Default: yes
Priority: 1025
Conflicts: cracklib, pwquality
Password-Type: Primary
Password:
    requisite                   pam_pwquality.so
EOF
fi

DEBIAN_FRONTEND=noninteractive pam-auth-update

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi