Beyond Linux® From Scratch (System V Edition) - Version 12.2

Chapter 4. Security

libpwquality-1.4.5

Introduction to libpwquality

The libpwquality package provides common functions for password quality checking and also scoring them based on their apparent randomness. The library also provides a function for generating random passwords with good pronounceability.

This package is known to build and work properly using an LFS 12.2 platform.

Package Information

libpwquality Dependencies

Required

CrackLib-2.10.2

Recommended

Linux-PAM-1.6.1

Installation of libpwquality

Install libpwquality by running the following commands: 

./configure --prefix=/usr                      \
            --disable-static                   \
            --with-securedir=/usr/lib/security \
            --disable-python-bindings          &&
make &&
pip3 wheel -w dist --no-build-isolation --no-deps --no-cache-dir $PWD/python

This package does not come with a test suite.

Now, as the root user: 

make install &&
pip3 install --no-index --find-links=dist --no-cache-dir --no-user pwquality

Command Explanations

--disable-python-bindings: This parameter disables building Python bindings with the deprecated python3 setup.py build command. The explicit instruction to build the Python 3 binding with the pip3 wheel command is provided.

Configuring libpwquality

libpwquality is intended to be a functional replacement for the now-obsolete pam_cracklib.so PAM module. To configure the system to use the pam_pwquality module, execute the following commands as the root user: 

mv /etc/pam.d/system-password{,.orig} &&
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# check new passwords for strength (man pam_pwquality)
password  required    pam_pwquality.so   authtok_type=UNIX retry=1 difok=1 \
                                         minlen=8 dcredit=0 ucredit=0 \
                                         lcredit=0 ocredit=0 minclass=1 \
                                         maxrepeat=0 maxsequence=0 \
                                         maxclassrepeat=0 gecoscheck=0 \
                                         dictcheck=1 usercheck=1 \
                                         enforcing=1 badwords="" \
                                         dictpath=/usr/lib/cracklib/pw_dict

# use yescrypt hash for encryption, use shadow, and try to use any
# previously defined authentication token (chosen password) set by any
# prior module.
password  required    pam_unix.so        yescrypt shadow try_first_pass

# End /etc/pam.d/system-password
EOF

Contents

Installed Programs: pwscore and pwmake
Installed Libraries: pam_pwquality.so and libpwquality.so
Installed Directories: /usr/lib/python3.11/site-packages/pwquality-1.4.5.dist-info

Short Descriptions

pwmake

is a simple configurable tool for generating random and relatively easily pronounceable passwords

pwscore

is a simple tool for checking quality of a password

libpwquality.so

contains API functions for checking the password quality

pam_pwquality.so

is a Linux PAM module used to perform password quality checking