Provide pam_passwdqc setup example for Linux

[solardiz]

In PLATFORMS, we happen to have more specific instructions for some non-Linux systems than we do for Linux. We should similarly add instructions or/and example(s) for common Linux distributions.

Our current:

Most modern Linux distributions use Linux-PAM with a password changing
module which understands "use_authtok".  Thus, you may choose which
module prompts for the old password, things should work either way.

assumes that the reader knows where and how to add pam_passwdqc to the PAM stack, and only needs that specific configuration detail above - but many people reading that don't have such knowledge.

For FreeBSD/DragonFly and OpenBSD, we refer to specific pathnames to make edits to. For many people, that's much more helpful.

For Solaris, we refer to a wiki page, which has instructions and examples. That's also more helpful (than what we have for Linux), although we could want to have our documentation in here more self-contained.

[solardiz]

Tested on Ubuntu 22.04:

+++ /etc/pam.d/common-password  2022-05-28 12:34:48.086924767 +0000
@@ -22,7 +22,8 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-password       [success=1 default=ignore]      pam_unix.so obscure yescrypt
+password       requisite                       pam_passwdqc.so config=/etc/passwdqc.conf
+password       [success=1 default=ignore]      pam_unix.so use_authtok obscure yescrypt
 # here's the fallback if no module succeeds
 password       requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;

Edit: added the optional config=/etc/passwdqc.conf above. Can also mention the need to apt install libpam-dev to get passwdqc to build on Debian/Ubuntu.

[solardiz]

Tested on AlmaLinux 8.5 (RHEL 8.5 rebuild):

To build, first dnf install pam-devel.

After make install, additionally run:

mv /lib/security/pam_passwdqc.so /lib64/security/
ldconfig

+++ /etc/pam.d/system-auth	2022-05-28 15:03:09.051496482 +0200
@@ -7,7 +7,7 @@
 
 account     required      pam_unix.so
 
-password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    requisite     pam_passwdqc.so config=/etc/passwdqc.conf
 password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
 password    required      pam_deny.so
 

+++ /etc/pam.d/password-auth	2022-05-28 15:03:07.069496446 +0200
@@ -7,7 +7,7 @@
 
 account     required      pam_unix.so
 
-password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    requisite     pam_passwdqc.so config=/etc/passwdqc.conf
 password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
 password    required      pam_deny.so
 

[solardiz]

Also on the same AlmaLinux 8.5 as above, after dnf install rpm-build a rpmbuild -tb passwdqc-2.0.2.tar.gz (as suggested in our INSTALL) just works, and the package has /lib64/security/pam_passwdqc.so right away (proper location for this distro). So this could be our primary recommendation.

Edit: putting this all together, something like this:

sudo dnf install pam-devel rpm-build
rpmbuild -tb passwdqc-2.0.2.tar.gz
sudo rpm -Uvh rpmbuild/RPMS/x86_64/passwdqc-2.0.2-owl1.x86_64.rpm

Then edit the config files.

A concern is that the config files are autogenerated:

# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.