nenrico
asked on
Linux maximum password length
Hi, I want to find out the maximum password length configuration in a Linux. Does Linux usually have this config? If so, where can I find the system setting for it? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Some linuxes store passwords as MD5 and some as SHA1 and some as BlowFish hashes.
No limit on password there.
You can verify that setting passwords longer than 255 characters, resulting hash differs for different passwords with common first 256 chars.
No limit on password there.
You can verify that setting passwords longer than 255 characters, resulting hash differs for different passwords with common first 256 chars.
Oh, I adore when someone accepts incorrect solution...
I was wondering if I should comment on that. I don't know who you are or what you are, but the place to set the maximum length of a password (or the length that counts) is where I have stated. Don't believe me? Please check it for yourself. The question was not what is the max length, but the configuration option for it.
ezaton: Your answer is less/more ok. But /etc/pam.d/common-password is not available on my modern FC nor up2date gentoo.
Tintin's totally wrong. no limit at 255 chars, login.defs has the the option to limit max pass length.
Tintin's totally wrong. no limit at 255 chars, login.defs has the the option to limit max pass length.
Check your /etc/pam.d/password (or passwd). Modern systems avoid using login.defs.
RHEL4 uses common-password which /etc/pam.d/password points at.
RHEL4 uses common-password which /etc/pam.d/password points at.
Let me say that I was indeed wrong. I was basing my information on the maximum length of MD5 passwords in Solaris, and I naively assumed the same applied to Linux.
ezaton, please read the original question again. It explicitly asks for what the maximum password length is and where it can be set.
I do note that on my Debian 3.1 server, there is an entry in /etc/login.defs for
PASS_MAX_LEN 8
However, this option is not mentioned anywhere in the man page and doesn't exist on any of the various Redhat servers I have access to.
I do note that debian 3.1 has /etc/pam.d/common-password and the more standard /etc/pam.d/passwd (which just includes common-password) and that it can be configured to set a maximum password length. The debian entry has:
password required pam_unix.so nullok obscure min=4 max=8 md5
and this is documented in the pam_passwqdc on Redhat systems.
So let's summarise here. On any recent Redhat/CentOS and probably Fedora (don't have access to a Fedora box at the moment) the maximum password length is practically unlimited. This probably applies to most other distributions, but as we've seen, there can be subtle but important differences as to how they are configured.
ezaton, please read the original question again. It explicitly asks for what the maximum password length is and where it can be set.
I do note that on my Debian 3.1 server, there is an entry in /etc/login.defs for
PASS_MAX_LEN 8
However, this option is not mentioned anywhere in the man page and doesn't exist on any of the various Redhat servers I have access to.
I do note that debian 3.1 has /etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=8 md5
and this is documented in the pam_passwqdc on Redhat systems.
So let's summarise here. On any recent Redhat/CentOS and probably Fedora (don't have access to a Fedora box at the moment) the maximum password length is practically unlimited. This probably applies to most other distributions, but as we've seen, there can be subtle but important differences as to how they are configured.
ezaton.
You say RHEL4 /etc/pam.d/password points to /etc/pam.d/common-password . That's not what I've found.
On a Centos 4.4 server
/etc/pam.d/password contains
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
and there is no common-password file
on a RHEL4 update 5 server, exactly the same as above applies.
You say RHEL4 /etc/pam.d/password points to /etc/pam.d/common-password
On a Centos 4.4 server
/etc/pam.d/password contains
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
and there is no common-password file
on a RHEL4 update 5 server, exactly the same as above applies.
Sorry. My bad. On RHEL4, same as you saw, on Ubuntu's PAM (7.04 server):
/etc/pam.d/passwd:
#
# The PAM configuration file for the Shadow `passwd' service
#
@include common-password
On /etc/pam.d/common-password :
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
#used to change user passwords. The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password required pam_unix.so nullok obscure min=4 max=8 md5
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required pam_cracklib.so retry=3 minlen=6 difok=3
# password required pam_unix.so use_authtok nullok md5
Same directives WOULD work in RHEL4 for pam_unix.so.
/etc/pam.d/passwd:
#
# The PAM configuration file for the Shadow `passwd' service
#
@include common-password
On /etc/pam.d/common-password
#
# /etc/pam.d/common-password
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
#used to change user passwords. The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password required pam_unix.so nullok obscure min=4 max=8 md5
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required pam_cracklib.so retry=3 minlen=6 difok=3
# password required pam_unix.so use_authtok nullok md5
Same directives WOULD work in RHEL4 for pam_unix.so.
ASKER