Werner Puschitz
Last fiddled: December 17, 2002.
For information on Red Hat Linux, Installation, Documentation, Kernel, Oracle, and Linux in general, see www.puschitz.com.


The Linux-PAM System Administrators' Guide
pam_cracklib Documentation

When you check the pam_cracklib documentation, you will notice that my patch here for pam_cracklib has been applied to pam_cracklib at http://sourceforge.net. However, at the time of this writing Red Hat has not applied this patch to their Linux distribution yet. The following procedure shows how I applied the patch to Red Hat Linux 7.2, 7.3, and Red Hat 2.1 Advanced Server.

Procedure for Patching pam_cracklib.c

By default, pam_cracklib on Red Hat Linux 7.2, 7.3, and Red Hat 2.1 Advanced Server still does not give you the option to define:
- a minimum number of lower case letters (without credits)
- a minimum number of upper case letters (without credits)
- a minimum number of digits (without credits)
- a minimum number of characters (without credits)
for a password with minimum length x.
See Enforcing Stronger Passwords for more information.

To address this problem, I wrote a patch where these restrictions can be set by assigning negative numbers to the pam_cracklib.so parameters minlen, lcredit, ucredit, dcredit, and ocredit. I tested the patch against Red Hat 7.2, 7.3, and against Red Hat 2.1 Advanced Server.
The procedure below shows how to patch and install pam_cracklib on Red Hat 7.3. For Red Hat 7.2 and Red Hat 2.1 Advanced Server, I had to change the source path to reflect the different version number of PAM. Note that only root can install and compile pam_cracklib.

Make sure you are always logged in as root when you install the new pam_cracklib.so shared library in /lib/security in case something goes wrong and you are not able to login as root any more!

Download the PAM source code and the patch:

For Red Hat 7.3, download pam-0.75-32.src.rpm from

For Red Hat 7.2, download pam-0.75-14.src.rpm from

Download my pam_cracklib patch from here and save it as "pam_cracklib.c.patch".

Install the PAM source code on your system:
cp pam-0.75-32.src.rpm /usr/src/redhat/SRPMS
cd /usr/src/redhat/SRPMS
rpm -ivh pam-0.75-32.src.rpm

cd /usr/src/redhat/SOURCES/
tar --bzip -xvf Linux-PAM-0.75.tar.bz2

Save the original pam_cracklib.c file and apply the patch:
cd /usr/src/redhat/SOURCES/Linux-PAM-0.75/modules/pam_cracklib

cp /download_dir/pam_cracklib.c.patch .

# patch < pam_cracklib.c.patch
patching file pam_cracklib.c
You can see the patched pam_cracklib.c file here.

Compile pam_cracklib.c:
cd /usr/src/redhat/SOURCES/Linux-PAM-0.75

cd /usr/src/redhat/SOURCES/Linux-PAM-0.75/modules/pam_cracklib

Now you should have a shared library called "pam_cracklib.so" in /usr/src/redhat/SOURCES/Linux-PAM-0.75/modules/pam_cracklib.
ls /usr/src/redhat/SOURCES/Linux-PAM-0.75/modules/pam_cracklib/pam_cracklib.so

Save the old pam_cracklib.so shared library and copy the new pam_cracklib module to /lib/security:
cp /lib/security/pam_cracklib.so /lib/security/pam_cracklib.so.orig
cp /usr/src/redhat/SOURCES/Linux-PAM-0.75/modules/pam_cracklib/pam_cracklib.so /lib/security/pam_cracklib.so

The information provided in this article shows how I patched the PAM module and is distributed AS IS. Every effort has been made to provide the information as accurate as possible, but no warranty or fitness is implied. The use of this information described herein is your responsibility, and to use it in your own environments do so at your own risk.

Comments?  webmaster_at_puschitz.com