How do I disable or modify pam's password requirements?
After a cursory look at the source code in /usr/sbin/authconfig
and /usr/share/authconfig/authinfo.py
:
- The man page is incomplete, the complete list of options accepted by the script is in
authconfig --help
- Everything can be overridden on the command-line (even
/etc/security/pwquality.conf
settings like password minimum length), except pwquality itself. IMHO, this is a bug and should be reported. -
From
authinfo.py
line 2489 and 2156:def read(self): self.readSysconfig() ... self.readPAM(ref) ...
First
readSysconfig
reads/etc/sysconfig/authconfig
; then what you put there is overwritten byreadPAM
with what is in/etc/pam.d/*
(especiallypassword_auth*
andsystem_auth*
):if module.startswith("pam_cracklib") or module.startswith("pam_pwquality"): self.setParam("enablePWQuality", True, ref)
TL;DR: for the options which are not overriden (or cannot be), the settings are taken from the current configuration including files which are tagged autogenerated. To make it work, edit /etc/sysconfig/authconfig
and remove lines shown by grep -E pwq\|crack /etc/pam.d/*
Edit: There is a second bug, which makes the advice above still not work: line 2248:
# Special handling for pam_pwquality and pam_passwdqc: there can be
# only one.
if self.enablePWQuality and self.enablePasswdQC:
self.setParam("enablePasswdQC", False, ref)
if not self.enablePWQuality and not self.enablePasswdQC:
self.setParam("enablePWQuality", True, ref)
You have to chose one of the two implementation of quality control, or one will be chosen for you ! Combined with first bug, this makes it impossible to disable.
You can take manual control over your system-auth
file. Create a new file (you could start by copying system-auth-ac
), and change the system-auth
symlink to point at the new file.
This makes it your responsibility to update this part of your PAM configuration, as authconfig will no longer touch the symlink or the file it points to. However, authconfig will still update the system-auth-ac
file, so you can continue to use that as a reference if you need to. With some cleverness, you may even be able to include
it into your local copy, but how to do that is beyond the scope of this question.
You should also check for other symlinks, such as password-auth
. You may need to give them the same treatment.
From the authconfig(8)
manpage, under Files
:
/etc/pam.d/system-auth
Common PAM configuration for system services which include it using
the include directive. It is created as symlink and not relinked if
it points to another file.
/etc/pam.d/system-auth-ac
Contains the actual PAM configuration for system services and is the
default target of the /etc/pam.d/system-auth symlink. If a local
configuration of PAM is created (and symlinked from system-auth
file) this file can be included there.
So if system-auth
is a file, then authconfig changes it to link to system-auth-ac
. But if system-auth
is a symlink, then authconfig leaves it alone.
It looks to be configurable through /etc/security/pwquality.conf
Source: https://fedoraproject.org/wiki/Features/PasswordQualityChecking
You can still change from the command line. You get a warning, but it will let you set a password that is too short, as well as one that does not meet complexity rules.