Beyond Linux® From Scratch (systemd Edition) - Version r12.0-816

Chapter 4. Security

libpwquality-1.4.5

Introduction to libpwquality

The libpwquality package provides common functions for password quality checking and also scoring them based on their apparent randomness. The library also provides a function for generating random passwords with good pronounceability.

[Note]

Note

Development versions of BLFS may not build or run some packages properly if LFS or dependencies have been updated since the most recent stable versions of the books.

Package Information

libpwquality Dependencies

Required

CrackLib-2.9.11

Recommended

Linux-PAM-1.5.3

Installation of libpwquality

Install libpwquality by running the following commands: 

./configure --prefix=/usr                      \
            --disable-static                   \
            --with-securedir=/usr/lib/security \
            --disable-python-bindings          &&
make &&
pip3 wheel -w dist --no-build-isolation --no-deps --no-cache-dir $PWD/python

This package does not come with a test suite.

Now, as the root user: 

make install &&
pip3 install --no-index --find-links=dist --no-cache-dir --no-user pwquality

Command Explanations

--disable-python-bindings: This parameter disables building Python bindings with the deprecated python3 setup.py build command. The explicit instruction to build the Python 3 binding with the pip3 wheel command is provided.

Configuring libpwquality

libpwquality is intended to be a functional replacement for the now-obsolete pam_cracklib.so PAM module. To configure the system to use the pam_pwquality module, execute the following commands as the root user: 

mv /etc/pam.d/system-password{,.orig} &&
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# check new passwords for strength (man pam_pwquality)
password  required    pam_pwquality.so   authtok_type=UNIX retry=1 difok=1 \
                                         minlen=8 dcredit=0 ucredit=0 \
                                         lcredit=0 ocredit=0 minclass=1 \
                                         maxrepeat=0 maxsequence=0 \
                                         maxclassrepeat=0 gecoscheck=0 \
                                         dictcheck=1 usercheck=1 \
                                         enforcing=1 badwords="" \
                                         dictpath=/usr/lib/cracklib/pw_dict

# use yescrypt hash for encryption, use shadow, and try to use any
# previously defined authentication token (chosen password) set by any
# prior module.
password  required    pam_unix.so        yescrypt shadow try_first_pass

# End /etc/pam.d/system-password
EOF

Contents

Installed Programs: pwscore and pwmake
Installed Libraries: pam_pwquality.so and libpwquality.so
Installed Directories: /usr/lib/python3.11/site-packages/pwquality-1.4.5.dist-info

Short Descriptions

pwmake

is a simple configurable tool for generating random and relatively easily pronounceable passwords

pwscore

is a simple tool for checking quality of a password

libpwquality.so

contains API functions for checking the password quality

pam_pwquality.so

is a Linux PAM module used to perform password quality checking