How to disable password dictionary check in Centos 7-1

Calab asked:

Everything I find online mentions commenting out cracklib… but it doesn’t exist in my system-auth file.

I would like to disable the dictionary check that CentOS does when a user is changing their password.

This is my system-auth file:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient
auth        sufficient nullok try_first_pass
auth        requisite uid >= 1000 quiet_success
auth        required

account     required
account     sufficient
account     sufficient uid < 1000 quiet
account     required

password    requisite try_first_pass local_users_only retr$
password    sufficient sha512 shadow nullok try_first_pass use_a$
password    required

session     optional revoke
session     required
-session     optional
session     [success=1 default=ignore] service in crond quiet$
session     required

My answer:

With the strong warning that you shouldn’t be trying to disable this to begin with:

The dictionary check is handled by cracklib, via pam_pwquality, which you should have seen present in the /etc/pam.d/system-auth file.

The man page for the current version of pam_pwquality suggests an option to disable the dictionary check:

           If nonzero, check whether the password (with possible
           modifications) matches a word in a dictionary. Currently the
           dictionary check is performed using the cracklib library. The
           default is 1 which means that this check is enabled.

The man page also states that you can add this into /etc/security/pwquality.conf or as an option in /etc/pam.d/system-auth (which may be overwritten by system tools, so you should avoid altering it when you can).

Unfortunately the version of pam_pwquality shipped by Red Hat in EL 7 doesn’t support the dictcheck option. So your only real solution is to not use pam_pwquality at all. Note that commenting this out will also disable all of the other checks it performs, such as minimum password length and character complexity.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.