Everything I find online mentions commenting out cracklib… but it doesn’t exist in my system-auth file.
I would like to disable the dictionary check that CentOS does when a user is changing their password.
This is my system-auth file:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retr$ password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_a$ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet$ session required pam_unix.so
With the strong warning that you shouldn’t be trying to disable this to begin with:
The dictionary check is handled by cracklib, via pam_pwquality, which you should have seen present in the
The man page for the current version of pam_pwquality suggests an option to disable the dictionary check:
dictcheck=N If nonzero, check whether the password (with possible modifications) matches a word in a dictionary. Currently the dictionary check is performed using the cracklib library. The default is 1 which means that this check is enabled.
The man page also states that you can add this into
/etc/security/pwquality.conf or as an option in
/etc/pam.d/system-auth (which may be overwritten by system tools, so you should avoid altering it when you can).
Unfortunately the version of pam_pwquality shipped by Red Hat in EL 7 doesn’t support the
dictcheck option. So your only real solution is to not use pam_pwquality at all. Note that commenting this out will also disable all of the other checks it performs, such as minimum password length and character complexity.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.