Beyond Linux® From Scratch (systemd Edition) - Version 11.3

Chapter 4. Security

libpwquality-1.4.5

Introduction to libpwquality

The libpwquality package provides common functions for password quality checking and also scoring them based on their apparent randomness. The library also provides a function for generating random passwords with good pronounceability.

This package is known to build and work properly using an LFS 11.3 platform.

Package Information

libpwquality Dependencies

Required

CrackLib-2.9.8

Recommended

Linux-PAM-1.5.2

User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/libpwquality

Installation of libpwquality

Install libpwquality by running the following commands: 

./configure --prefix=/usr                      \
            --disable-static                   \
            --with-securedir=/usr/lib/security \
            --with-python-binary=python3       &&
make

This package does not come with a test suite.

Now, as the root user: 

make install

Command Explanations

--with-python-binary=python3: This parameter gives the location of the Python binary. The default is python, and requires Python-2.7.18.

Configuring libpwquality

libpwquality is intended to be a functional replacement for the now-obsolete pam_cracklib.so PAM module. To configure the system to use the pam_pwquality module, execute the following commands as the root user: 

mv /etc/pam.d/system-password{,.orig} &&
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# check new passwords for strength (man pam_pwquality)
password  required    pam_pwquality.so   authtok_type=UNIX retry=1 difok=1 \
                                         minlen=8 dcredit=0 ucredit=0 \
                                         lcredit=0 ocredit=0 minclass=1 \
                                         maxrepeat=0 maxsequence=0 \
                                         maxclassrepeat=0 gecoscheck=0 \
                                         dictcheck=1 usercheck=1 \
                                         enforcing=1 badwords="" \
                                         dictpath=/usr/lib/cracklib/pw_dict
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_pwquality
# above (or any previous modules). Also set the number of crypt rounds
# to the value used in shadow.
password  required    pam_unix.so        sha512 shadow use_authtok \
                                         rounds=500000

# End /etc/pam.d/system-password
EOF

Contents

Installed Programs: pwscore and pwmake
Installed Libraries: pam_pwquality.so and libpwquality.so
Installed Directories: None

Short Descriptions

pwmake

is a simple configurable tool for generating random and relatively easily pronounceable passwords

pwscore

is a simple tool for checking quality of a password

libpwquality.so

contains API functions for checking the password quality

pam_pwquality.so

is a Linux PAM module used to perform password quality checking