Sometimes you want to generate a strong password when building or managing a system. However, as I wrote in ** TL; DR **, there are unexpectedly complicated circumstances in Linux. Therefore, this time, I will explain the characteristics and usage of the main commands.
1-1. TL;DR
There are roughly the following methods to generate a password on Linux.
If you want to manage website passwords, you should use 3. ** However, this time we are aiming for general-purpose password generation. Therefore, the method of 1 will be described. Please refer to the link below for the method of ** 2.
I will briefly introduce each command.
pwgen A generic password generation command. A password can be generated under the conditions specified in the option. http://sf.net/projects/pwgen
pwmake Password generation commands included in the libpwquality library. Since it is integrated with pam_pwquality (libpwquality) adopted from RHEL7 series, it is possible to generate a password according to the password policy of the OS without specifying the ** option **. https://github.com/libpwquality/libpwquality/
mkpasswd Password generation command included in expect. The function is similar to pwgen, but pwgen is more sophisticated. However, the command name is the same for RHEL and Ubuntu, but they are different. </ font>
** Tips ** </ font> Looking at the pwgen and pwmake man, it says "pronounceable passwords". In other words, you can generate a password that is easy to pronounce **. It is a matter of degree, so it does not include words registered in the dictionary. </ font>
The table below shows how to get it for each Linux distribution. Depending on the OS installation type, only the ** blue </ font> ** packages are installed by default, otherwise you need to install them arbitrarily. The source repository is in parentheses.
| Distribution | pwmake | pwgen | mkpasswd |
|---|---|---|---|
| RHEL6 series | libpwquality(EPEL) | pwgen(EPEL) | expect |
| RHEL7 series | libpwquality | pwgen(EPEL) | expect |
| RHEL8 series | libpwquality | pwgen(EPEL) | expect |
| Ubuntu18.04LTS | libpwquality-tools | pwgen | whois |
The following can be summarized as described above. The next chapter explains how to use pwmake and pwgen.
Explains how to use the general-purpose password generation command pwgen.
pwgen is provided by the EPEL repository. However, it may be included in the standard repository for public cloud OS images. I will explain each of RHEL and Ubuntu.
** RHEL system **
$ rpm -qa | grep pwgen
★ Nothing is displayed when it is not installed.
$ sudo yum provides pwgen
★ When No matches is displayed, it is not included in the repository.
No matches found
★ The package name is displayed when it is included in the repository.
pwgen-2.08-1.el7.x86_64 : Automatic password generation
Repo : epel
#RHEL6 series
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm -y
#RHEL7 series
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
#RHEL8 series
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y
# Amazon Linux 2
sudo amazon-linux-extras install epel
$ sudo yum install pwgen -y
** Ubuntu series **
$ sudo apt install pwgen
The grammar of pwgen is as follows. Specify the password length and number after the option. For options other than the following, refer to man.
grammar
pwgen [ OPTIONS ] [ pw_length ] [ num_pw ]
| option | Contents |
|---|---|
| -c | Include at least one uppercase letter |
| -A | Do not include uppercase letters |
| -n | Include at least one letter number |
| -0 | Do not include numbers |
| -y | Include at least one letter symbol |
| -s | Generate a completely random password |
| -B | Do not include confusing characters such as 1 (Ichi), l (L), O (O), 0 (Zero) |
| -1 | Display one password per line |
** Example 1) ** Password length is 12 characters, including at least one uppercase letter (-c) and number (-n). If you do not specify the number, the full screen is displayed as shown below. You can choose the one you want to use from these.
$ pwgen -c -n 12
Eiv5roo5pha1 ahnie0Zeogh2 piedu8Vaijoo Foa2eghiiPho teiHosoh8ooF ohgh0Ohwaesh
pahph6Aiyu0M leiB2xahlah1 maePee7fonoe aeGo6xielaeM Veif1Iaj4Na7 beiB8IKungie
Ohlah2aithak Aelaelo2ieri bieRef8ceire cahxu7AF4Ung chah7Aht6vah edeva9Ooquie
gaeWo1Aijae7 ii1AeThuewei oohaeW0nahm5 ohmoot7Ia6Du pho0vooW4eet cu3eeThioKu9
★ Omitted below
** Example 2) ** Password length is 12 characters, including at least one uppercase letter (-c), number (-n), symbol (-y), and no confusing characters (-B). Generate 5 with 1 password (-1) per line.
$ pwgen -c -n -y -B -1 12 5
ashoo3ga(M3W
goo7ke\o4aeL
beiHae4voeH.
AJ3ok3ahj{in
shoo7ExiJ"ir
** pwmake ** is a command closely related to OS password authentication, and can generate passwords according to the OS password policy without specifying options.
Whereas ** pwgen ** is a single command, ** pwmake ** is included in the pam_pwquality (libpwquality) module used in RHEL7. Therefore, understanding pam_pwquality is indispensable for understanding pwmake, so I will explain it first.
pam_pwquality is a PAM module that enforces password policies such as "mixed case, password of ○ characters or more is required". When the passwd command is executed, the password is evaluated in the following order and can be set only when it is satisfied.
Describe the two important pam_pwquality files /etc/pam.d/system-auth and/etc/security/pwquality.conf.
The PAM module that checks passwords depends on the version and type of Linux. See the link below for details.
RHEL7 or later: pam_pwquality RHEL6:pam_cracklib Ubuntu: pam_unix. pam_pwquality is also available as an option →Enforce Password Complexity Policy On Ubuntu 18.04
4-1-1. /etc/pam.d/system-auth
This file is the PAM module definition file, and pam_pwquality is the caller. Since there are some lines that are not related to this explanation, I will introduce the grep one.
The default when installing from the media is as follows. It may be customized in the cloud.
# grep ^password /etc/pam.d/system-auth
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
In the following example, the pam_pwhistory module is also used to prevent password reuse the past N times.
Customization example
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root
password requisite pam_pwhistory.so use_authtok enforce_for_root remember=4
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok enforce_for_root remember=4
password required pam_deny.so
** Reference: RHEL6 series example ** RHEL6 series uses pam_cracklib instead of pam_pwquality. The password policy is specified inline in /etc/pam.d/system-auth as shown below, not in the configuration file described later.
RHEL6 series
password requisite pam_cracklib.so retry=3 minlen=8 difok=3 gecoscheck ocredit=-1 dcredit=-1 ucredit=-1 lcredit=-1 enforce_for_root
4-1-2. /etc/security/pwquality.conf
/etc/security/pwquality.conf is a configuration file that defines password rules. In RHEL8 series, it may be /etc/security/pwquality.conf.d/pwquality.conf. This is also a long file, so I will introduce the grep one.
# grep -v -e '^\s*#' /etc/security/pwquality.conf
When I installed from the media, everything was commented out, so when I grep it, nothing is displayed.
Example of all commented out
# Number of characters in the new password that must not be present in the
# old password.
# difok = 5
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 9
★ Omitted below
Default values are set in many clouds, and in Oracle Cloud Infrastructure Compute they are set as follows: I wrote the meaning briefly, but please refer to the comment and man in the configuration file for details.
difok = 3 #Last 3 passwords not available
minlen = 8 #Password must be 8 characters or more
dcredit = -1 #One or more numbers
ucredit = -1 #One or more uppercase letters
lcredit = -1 #At least one lowercase alphabet
ocredit = -1 #One or more symbols
gecoscheck = 1 # /etc/Does not contain words in the GECOS field of the passwd entry
The introduction is long, but let's generate a password with pwmake. Specify the number of entropy bits as follows. The simple representation of the number of entropy bits is the difficulty of decoding. You can specify more than 56 numbers, and 64 is often sufficient.
grammar
pwmake <number of entropy bits>
pwmake generates a password considering both "pam_pwquality setting value" and "entropy bit number". If there is no value in the configuration file, only "the number of entropy bits" is considered. Looking at the following example, the larger the number of entropy bits, the longer the password.
$ pwmake 56
YKHUdiLIj$AH
$ pwmake 64
dEHimAf3PIwUgG
$ pwmake 80
iczaf0D4x@M-EhEGt
$ pwmake 128
Yc4kexIJiw5@sIDM3R6an(ijEDYM
The following example is run on Oracle Cloud Infrastructure Compute. It reflects the contents of the definition file and contains uppercase letters, numbers, symbols, etc. If you don't like it, you can do it multiple times.
$ pwmake 64
ErODFOROJ0w+YN
In other words, it can be said to be a very convenient command when there is a definition in the configuration file like the public cloud. Also, if there is no definition, you can generate a strong password, depending on your luck, such as uppercase / lowercase letters and numbers.
You might think it's an OS login password now, but VNC and xrdp are the main triggers. Password login is also required in the cloud to use these.
Also, for serial console connections of Oracle Cloud Infrastructure and Azure VM, it is necessary to set a password for the OS user.
You can use your own strong passwords, but why not use these commands as a way to generate strong passwords without much thought?