How to change/disable password complexity test when changing password?

password policy

I know that it is a "bad" idea, I know that it is not secure, I know. I searched the net for an answer and all I saw was whining that it's not good. But I like using Linux because it lets me make the system I want and like to use. The end of intro.

I try to change password:

user:~% passwd
Changing password for user.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
You must choose a longer password

If I try sudo passwd user then I can set any password I want so I don't need password complexity checks for passwd on my system.

After googling I've found that there should be PAM module pam_cracklib that tests password for complexity and it can be configured. But my PAM password settings doesn't include pam_cracklib:

% cat /etc/pam.d/passwd | grep '^[^#]'
@include common-password
% cat /etc/pam.d/common-password | grep '^[^#]'
password    [success=1 default=ignore]  pam_unix.so obscure sha512
password    requisite           pam_deny.so
password    required            pam_permit.so
password    optional    pam_gnome_keyring.so

I guess that pam_unix makes this test... Oops... Guys, the moment I finished to write this sentence I've got an enlightenment and typed man pam_unix in terminal where I've found needed options for pam_unix module.

I just removed option obscure and added minlen=1 and now I'm happy. So now I have this line in /etc/pam.d/common-password:

password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

and I can set any password.

I decided to keep this post for people who might need this solution also.


Ok, I will answer my question :)

I've found that pam_unix module performs password complexity check and it can be configured.

man pam_unix:

   minlen=n
       Set a minimum password length of n characters. The default value is
       6. The maximum for DES crypt-based passwords is 8 characters.

   obscure
       Enable some extra checks on password strength. These checks are
       based on the "obscure" checks in the original shadow package. The
       behavior is similar to the pam_cracklib module, but for
       non-dictionary-based checks.

Solution:
Alter the line in the pam_unix module in the /etc/pam.d/common-password file to:

password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

It allows you to set any password with minimal length of 1.


If it is a once off, using the passwd command as root you can set a simple password for a user by simply entering the desired value, and then enter the password two times at the prompts.

john@workpad:~$ sudo bash
[sudo] password for john: 
root@workpad:/home/john# passwd john
New password: 
Retype new password: 
passwd: password updated successfully
root@workpad:/home/john# exit
exit
john@workpad:~$

Open the common-password config file for editing:

sudo -H gedit /etc/pam.d/common-password

Comment this line by adding the # character to the front as shown:

#password   [success=2 default=ignore]  pam_unix.so obscure use_authtok try_first_pass sha512

Also comment this line, otherwise password setting will ask you to pass a mix of upper/lower case letters:

#password   requisite           pam_passwdqc.so enforce=everyone max=18 min=disabled,8,8,1,1 retry=2 similar=deny

Now just add this line into the same file: 

password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

this should do it...

Related

How do I add a line to my /etc/apt/sources.list?
How do I burn a DVD ISO using the terminal?
How to rsync to android
Group permissions allow, but still get permission denied
How to install X11/xorg?
Do all domains technically end with "."?
Running tasks inside LXD container through ansible
How to use multiple SSL certificates in HA Proxy [duplicate]
Kickstart create users and add to groups
How much RAM do I need to run a forum using Nginx, Gunicorn, Django?
In IIS7, is it possible to have custom environment variables per web site?
How to handle in-progress request when applying rolling update?