System Architecture: All/General
RedHat Release: RHL 5.1 (Manhattan)
FAQ Category: Security and Encryption
Modification Date: Nov 16, 1998
Red Hat Linux, out of the box, only pays attention to the first eight characters of a user's password. It would be nice to allow longer passwords, both for security and for people used to OS's (like VAX/VMS) allowing longer passwords. (VMS allows 12 characters.)
First, you want to enable shadow passwords. You want to do this for many other reasons. It is trivial to enable (from Red Hat 5.0 on, I believe, and perhaps also from earlier versions) and requires no additional maintenance or understanding. Check to be sure you have the shadow-utils package installed: $ rpm -q shadow-utils If you do not have this package installed, you must install it before continuing. Once installed, login as root -- using "su" is sufficient -- and run $ /usr/sbin/pwconv Now you are using shadow passwords. This means passwords are now stored in the file /etc/shadow rather than /etc/passwd, indicated in /etc/passwd by replacing encrypted passwords with the single character 'x'. Red Hat 5.1 (and I believe 5.0 ... possibly earlier versions) comes ready for shadow passwords in that you don't need to edit any PAM configuration files, found in /etc/pam.d/* (or /etc/pam.conf for older versions of PAM). The way to check this if using Linux 5.0 or before -- I have 5.1 installed and thus can't check earlier versions -- is: $ grep '^auth.*pwdb' /etc/pam.d/* $ grep '^password.*pwdb' /etc/pam.d/* most -- not all -- programs requiring authentication should have a line like: auth required /lib/security/pam_pwdb.so shadow nullok password required /lib/security/pam_pwdb.so shadow nullok use_authtok The only exception on my system is that "su" does not have the "nullok" option for either grep and, oddly enough, "passwd" does not have "shadow" as an option for the second grep. It's possible that I added some unnecessary "shadow" options at some point in the past. If your PAM configuration files are different, I would first recommend upgrading the pam and pamconfig RPMs to the most recent updates appropriate for your distribution. Once you have changed your system to use shadow passwords, instruct PAM to use MD5 encryption for passwords. To do this, you will need to edit files in /etc/pam.d ... I may have gone overkill by editing chfn, chsh, login, passwd, rlogin, su, and xdm in that directory. Basically, on the lines that say password required /lib/security/pam_pwdb.so ...list of options... make sure the option "md5" is present. Don't *remove* any options. Simply add "md5". For example, here is my /etc/pam.d/passwd file: #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_pwdb.so use_authtok md5 nullok After you do this, you should use "passwd" to change each user's password. (This may not be a necessary step, but since I have so very few users on my system, it was trivial.) I believe that if you use md5 encryption passwords can be up to 32 characters long. Making this change was easy and quick and has been flawless. If any of the steps I mention are unnecessary, please let me know so I can update this FAQ question.
man 1 passwd man 5 shadow man 5 passwd man pwconv dir /usr/doc/pam*