9

I want to enforce my password policy to both new users and existing ones, but when I run adduser on Ubuntu 24, it allows me to add a weak password.

$ sudo adduser handsm
[sudo] password for superuser: 
info: Adding user `handsm' ...
info: Selecting UID/GID from range 1000 to 59999 ...
info: Adding new group `handsm' (1001) ...
info: Adding new user `handsm' (1001) with group `handsm (1001)' ...
info: Creating home directory `/home/handsm' ...
info: Copying files from `/etc/skel' ...
New password: 
BAD PASSWORD: The password is shorter than 10 characters
Retype new password: 
passwd: password updated successfully

You can see it warning, and then when I repeat the weak password it accepts it anyway!

My policy works fine for existing users who change their password. What am I missing?

FWIW, the same problem applies for useradd:

$ sudo useradd test375
$ sudo passwd test375
New password: 
BAD PASSWORD: The password is shorter than 10 characters
Retype new password: 
passwd: password updated successfully
Improve this question

1 Answer 1

Reset to default
18

This is most likely only happening because you are changing the password with sudo and by default root is allowed to do whatever root wants.

If you su - test375 and then try to set your own password as a regular user, it would most likely fail. However you want to check /etc/pam.d/common-password and ensure it has this line:

password requisite pam_pwquality.so retry=3

Which it most likely does because otherwise you wouldn't get that warning. If you really want to ensure root can't set unsecure passwords you can modify that line to:

password requisite pam_pwquality.so retry=3 enforce_for_root

This will enforce the password policy even when sudo is used.

Improve this answer
2
  • 4
    Though one might note that if the password is stored locally, root can change it anyway, regardless of what the PAM modules say. E.g. creating the hash with mkpasswd -m sha512crypt and editing it into /etc/shadow should work on a run-of-the-mill Ubuntu system. If the user database is stored in e.g. LDAP, then the server should enforce password checking (if it's enforced locally in PAM, root can likely just contact the LDAP server directly to set the password.) Commented Dec 19, 2024 at 12:43
  • 2
    @ilkkachu yeah or root is also capable of modifying the password policy. Commented Dec 19, 2024 at 13:13

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.