Cracklib and PAM

Bruce Dubbs bdubbs at
Thu Mar 23 11:30:32 PST 2006

Dan Nicholson wrote:
> On 3/23/06, Bruce Dubbs <bdubbs at> wrote:
>> Dan,
>>   I agree with Randy about the philosophy of installing Cracklib. I'm
>> curious why you would want PAM and not use it.
> Seems I'm alone here, but I don't see them as the same issue.  They
> both provide security, but completely different aspects.  PAM provides
> control over authenticating users for programs.  Cracklib enforces
> password strength.  I use PAM.  

Inherent in the design of PAM is the module-type of password:

"this last module type is required for updating the authentication token
associated with the user. Typically, there is one module for each
`challenge/response' based authentication (auth) module-type."

I admit I don't really understand the last sentence.

In any case, cracklib provides a more robust password checking
capability than PAM alone.  If one bothers to install PAM at all, why
would someone not add this?  The control is then accomplished via the
configuration files.

It doesn't need Cracklib to work.  If
> I was running a system with lots of users who I didn't know, I'd
> probably install Cracklib.
> Should the instructions for using PAM without cracklib be removed?

No.  I was just trying to understand another viewpoint.

  -- Bruce

More information about the blfs-book mailing list