Enforcing strong passwords on NixOS: pam_pwquality.so module not known

leomeinel · December 4, 2023, 2:18am

Hi,

I’m new to NixOS. I’m currently trying to make a config for 2 of my servers that I’ve been working on for the last 3 days.
I already migrated a lot of stuff from my Arch Linux install scripts into NixOS, but I can’t figure out how people are intended to modify their /etc/pam.d/passwd.

I am currently using lib.mkForce in my config to overwrite my /etc/pam.d/passwd with the following:

/etc/pam.d/passwd

# passwd defaults from nixos-install
password required pam_pwquality.so shadowretry=3 minlen=12 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 enforce_for_root
password required pam_unix.so use_authtok shadow

I also installed the package libpwquality which should provide pam_pwquality.so as far as I can tell from their source code.

I however always get the following error when running passwd as root:

passwd: Module is unknown
passwd: password unchanged

I’d of course prefer actual options inside security.pam over overwriting /etc/pam.d/passwd. But it doesn’t seem like my configuration is supported at all.
In Arch Linux it works fine and my configuration also mostly matches their wiki entry for enforcing strong passwords.

If anyone is willing to help me with this and clear thing up, that would be greatly appreciated! I’ve spent a lot of time trying to find any solution to enforcing strong passwords on NixOS, but didn’t find any.

Have a nice week and thanks in advance for your help

codehub8 · February 7, 2024, 12:46pm

Did you find any way to enforce strong password?

leomeinel · February 7, 2024, 2:16pm

Sadly not, I’m not sure if that’s a feature in NixOS. I’d almost say it should be, but I mean it’s possible that no one cared to implement it yet.

Kiskae · February 7, 2024, 2:23pm

https://github.com/NixOS/nixpkgs/blob/9f2ee8c91ac42da3ae6c6a1d21555f283458247e/nixos/modules/security/pam.nix isn’t the easiest to read, but I believe it would be something like this.

Do be noted that this API is unstable, as documented in the above-mentioned file.

security.pam.services.passwd.rules.password.pwquality = {
  control = "required"; 
  modulePath = "${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"; 
  # order BEFORE pam_unix.so
  order =  security.pam.services.passwd.rules.password.unix.order - 10;
  settings = {
    shadowretry = 3;
    minlen = 12;
    difok = 6;
    dcredit = -1;
    ucredit = -1;
    ocredit = -1;
    lcredit = -1;
    enforce_for_root = true;
  }; 
};

codehub8 · February 9, 2024, 7:35am

I am using nixos-23.5 release, this configuration enforces strong password but allows to change password even I enter wrong current password.

leomeinel · February 9, 2024, 8:32am

Wow, thank you very much! I didn’t even manage to find that. I’ll wait until it’s stable and mark this as solved!

EDIT: For anyone reading this in the future. I haven’t tested the solution yet!

nicof2000 · June 18, 2024, 6:49am

The solution works in some way, but it has a devastating bug, where the orignal password is no longer required to change the password, see: [PAM Password quality] change password allowed using wrong credentials · Issue #287420 · NixOS/nixpkgs · GitHub