Unexpectedly complicated Linux password generation situation and password generation method

1. Unexpectedly complicated password generation situation

Sometimes you want to generate a strong password when building or managing a system. However, as I wrote in ** TL; DR **, there are unexpectedly complicated circumstances in Linux. Therefore, this time, I will explain the characteristics and usage of the main commands.

1-1. TL;DR

1-2. Target environment

  • RHEL Linux OS
  • Ubuntu

2. Think about how to generate a password

There are roughly the following methods to generate a password on Linux.

  1. Use password generation commands such as pwmake, pwgen, and mkpasswd
  2. Use in combination with openssl, / dev / urandom, etc.
  3. Use website password management tools such as Bitwarden, 1Password, Lastpass, and Google Password Manager

If you want to manage website passwords, you should use 3. ** However, this time we are aiming for general-purpose password generation. Therefore, the method of 1 will be described. Please refer to the link below for the method of ** 2.

2-1. Overview of each command

I will briefly introduce each command.

pwgen A generic password generation command. A password can be generated under the conditions specified in the option.  http://sf.net/projects/pwgen

pwmake Password generation commands included in the libpwquality library. Since it is integrated with pam_pwquality (libpwquality) adopted from RHEL7 series, it is possible to generate a password according to the password policy of the OS without specifying the ** option **.  https://github.com/libpwquality/libpwquality/

mkpasswd Password generation command included in expect. The function is similar to pwgen, but pwgen is more sophisticated. However, the command name is the same for RHEL and Ubuntu, but they are different. </ font>

** Tips ** </ font> Looking at the pwgen and pwmake man, it says "pronounceable passwords". In other words, you can generate a password that is easy to pronounce **. It is a matter of degree, so it does not include words registered in the dictionary. </ font>

2-2. How to get each command

The table below shows how to get it for each Linux distribution. Depending on the OS installation type, only the ** blue </ font> ** packages are installed by default, otherwise you need to install them arbitrarily. The source repository is in parentheses.

Distribution pwmake pwgen mkpasswd
RHEL6 series libpwquality(EPEL) pwgen(EPEL) expect
RHEL7 series libpwquality pwgen(EPEL) expect
RHEL8 series libpwquality pwgen(EPEL) expect
Ubuntu18.04LTS libpwquality-tools pwgen whois

2-3. How to use each command properly

The following can be summarized as described above. The next chapter explains how to use pwmake and pwgen.

  • ** pwmake ** is suitable for generating OS login password on RHEL7 or later or Ubuntu.
  • ** pwgen ** is suitable for generating passwords that do not limit usage

3. Use pwgen

Explains how to use the general-purpose password generation command pwgen.

3-1. Install pwgen

pwgen is provided by the EPEL repository. However, it may be included in the standard repository for public cloud OS images. I will explain each of RHEL and Ubuntu.

** RHEL system **

  1. Make sure pwgen is installed.
$ rpm -qa | grep pwgen
★ Nothing is displayed when it is not installed.
  1. If it is not installed, check if it is included in the existing repository.
$ sudo yum provides pwgen
★ When No matches is displayed, it is not included in the repository.
No matches found

★ The package name is displayed when it is included in the repository.
pwgen-2.08-1.el7.x86_64 : Automatic password generation
Repo        : epel
  1. If it is not included in the existing repository, install the EPEL repository first. For details on EPEL, refer to "I tried to summarize how to use the EPEL repository again".
#RHEL6 series
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm -y

#RHEL7 series
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y

#RHEL8 series
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y

# Amazon Linux 2
sudo amazon-linux-extras install epel
  1. Install pwgen.
$ sudo yum install pwgen -y

** Ubuntu series **

$ sudo apt install pwgen

3-2. How to execute pwgen

The grammar of pwgen is as follows. Specify the password length and number after the option. For options other than the following, refer to man.


pwgen [ OPTIONS ] [ pw_length ] [ num_pw ]
option Contents
-c Include at least one uppercase letter
-A Do not include uppercase letters
-n Include at least one letter number
-0 Do not include numbers
-y Include at least one letter symbol
-s Generate a completely random password
-B Do not include confusing characters such as 1 (Ichi), l (L), O (O), 0 (Zero)
-1 Display one password per line

** Example 1) ** Password length is 12 characters, including at least one uppercase letter (-c) and number (-n). If you do not specify the number, the full screen is displayed as shown below. You can choose the one you want to use from these.

$ pwgen -c -n 12
Eiv5roo5pha1 ahnie0Zeogh2 piedu8Vaijoo Foa2eghiiPho teiHosoh8ooF ohgh0Ohwaesh
pahph6Aiyu0M leiB2xahlah1 maePee7fonoe aeGo6xielaeM Veif1Iaj4Na7 beiB8IKungie
Ohlah2aithak Aelaelo2ieri bieRef8ceire cahxu7AF4Ung chah7Aht6vah edeva9Ooquie
gaeWo1Aijae7 ii1AeThuewei oohaeW0nahm5 ohmoot7Ia6Du pho0vooW4eet cu3eeThioKu9
★ Omitted below

** Example 2) ** Password length is 12 characters, including at least one uppercase letter (-c), number (-n), symbol (-y), and no confusing characters (-B). Generate 5 with 1 password (-1) per line.

$ pwgen -c -n -y -B -1 12 5

4. Use pwmake

** pwmake ** is a command closely related to OS password authentication, and can generate passwords according to the OS password policy without specifying options.

Whereas ** pwgen ** is a single command, ** pwmake ** is included in the pam_pwquality (libpwquality) module used in RHEL7. Therefore, understanding pam_pwquality is indispensable for understanding pwmake, so I will explain it first.

4-1. What is pam_pwquality?

pam_pwquality is a PAM module that enforces password policies such as "mixed case, password of ○ characters or more is required". When the passwd command is executed, the password is evaluated in the following order and can be set only when it is satisfied.

  • Dictionary check
  • Rule check in configuration file /etc/security/pwquality.conf

Describe the two important pam_pwquality files /etc/pam.d/system-auth and/etc/security/pwquality.conf.

The PAM module that checks passwords depends on the version and type of Linux. See the link below for details.

RHEL7 or later: pam_pwquality RHEL6:pam_cracklib Ubuntu: pam_unix. pam_pwquality is also available as an option    →Enforce Password Complexity Policy On Ubuntu 18.04

4-1-1. /etc/pam.d/system-auth

This file is the PAM module definition file, and pam_pwquality is the caller. Since there are some lines that are not related to this explanation, I will introduce the grep one.

The default when installing from the media is as follows. It may be customized in the cloud.

# grep ^password /etc/pam.d/system-auth
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

In the following example, the pam_pwhistory module is also used to prevent password reuse the past N times.

Customization example

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root
password    requisite     pam_pwhistory.so use_authtok enforce_for_root remember=4
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok enforce_for_root remember=4
password    required      pam_deny.so

** Reference: RHEL6 series example ** RHEL6 series uses pam_cracklib instead of pam_pwquality. The password policy is specified inline in /etc/pam.d/system-auth as shown below, not in the configuration file described later.

RHEL6 series

password    requisite     pam_cracklib.so retry=3 minlen=8 difok=3 gecoscheck ocredit=-1 dcredit=-1 ucredit=-1 lcredit=-1 enforce_for_root

4-1-2. /etc/security/pwquality.conf

/etc/security/pwquality.conf is a configuration file that defines password rules. In RHEL8 series, it may be /etc/security/pwquality.conf.d/pwquality.conf. This is also a long file, so I will introduce the grep one.

# grep -v -e '^\s*#' /etc/security/pwquality.conf

When I installed from the media, everything was commented out, so when I grep it, nothing is displayed.

Example of all commented out

# Number of characters in the new password that must not be present in the
# old password.
# difok = 5
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 9
★ Omitted below

Default values are set in many clouds, and in Oracle Cloud Infrastructure Compute they are set as follows: I wrote the meaning briefly, but please refer to the comment and man in the configuration file for details.

difok = 3       #Last 3 passwords not available
minlen = 8      #Password must be 8 characters or more
dcredit = -1    #One or more numbers
ucredit = -1    #One or more uppercase letters
lcredit = -1    #At least one lowercase alphabet
ocredit = -1    #One or more symbols
gecoscheck = 1  # /etc/Does not contain words in the GECOS field of the passwd entry

4-2. How to execute pwmake

The introduction is long, but let's generate a password with pwmake. Specify the number of entropy bits as follows. The simple representation of the number of entropy bits is the difficulty of decoding. You can specify more than 56 numbers, and 64 is often sufficient.


pwmake <number of entropy bits>

pwmake generates a password considering both "pam_pwquality setting value" and "entropy bit number". If there is no value in the configuration file, only "the number of entropy bits" is considered. Looking at the following example, the larger the number of entropy bits, the longer the password.

$ pwmake 56
$ pwmake 64
$ pwmake 80
[email protected]
$ pwmake 128
[email protected](ijEDYM

The following example is run on Oracle Cloud Infrastructure Compute. It reflects the contents of the definition file and contains uppercase letters, numbers, symbols, etc. If you don't like it, you can do it multiple times.

$ pwmake 64

In other words, it can be said to be a very convenient command when there is a definition in the configuration file like the public cloud. Also, if there is no definition, you can generate a strong password, depending on your luck, such as uppercase / lowercase letters and numbers.

  • man pwmake
  • man pam_pwquality
  • man pwquality.conf

5. Summary

  • ** pwgen is a versatile password generation command **
  • ** pwmake is a password generation command that is installed by default on RHEL7 and later. Useful when generating a password that conforms to the OS password policy **

You might think it's an OS login password now, but VNC and xrdp are the main triggers. Password login is also required in the cloud to use these.

Also, for serial console connections of Oracle Cloud Infrastructure and Azure VM, it is necessary to set a password for the OS user.

You can use your own strong passwords, but why not use these commands as a way to generate strong passwords without much thought?