How to disable password dictionary check in Centos 7-1

Calab asked:

Everything I find online mentions commenting out cracklib… but it doesn’t exist in my system-auth file.

I would like to disable the dictionary check that CentOS does when a user is changing their password.

This is my system-auth file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retr$
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_a$
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet$
session     required      pam_unix.so

My answer:


With the strong warning that you shouldn’t be trying to disable this to begin with:

The dictionary check is handled by cracklib, via pam_pwquality, which you should have seen present in the /etc/pam.d/system-auth file.

The man page for the current version of pam_pwquality suggests an option to disable the dictionary check:

       dictcheck=N
           If nonzero, check whether the password (with possible
           modifications) matches a word in a dictionary. Currently the
           dictionary check is performed using the cracklib library. The
           default is 1 which means that this check is enabled.

The man page also states that you can add this into /etc/security/pwquality.conf or as an option in /etc/pam.d/system-auth (which may be overwritten by system tools, so you should avoid altering it when you can).

Unfortunately the version of pam_pwquality shipped by Red Hat in EL 7 doesn’t support the dictcheck option. So your only real solution is to not use pam_pwquality at all. Note that commenting this out will also disable all of the other checks it performs, such as minimum password length and character complexity.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.