pam_cracklib not enforcing difok for root even with enforce_for_root option

Question

I tried enforcing difok=7 for root but can't get it to work. By now I tried every combination and it's just not working. I can't find any information in the manpage about this problem.

Is this normal that pam_cracklib is not enforcing difok=7 for root?

This is the configuration I am using: password requisite pam_pwquality.so retry=3 difok=7 minlen=10 ucredit=-1 dcredit=-1 maxrepeat=3 reject_username enforce_for_root

Answer 1

in the manual (man pam_pwquality.so), there is a note about this point for the enforce_by_root option.

enforce_for_root

The module will return error on failed check even if the user changing the password is root. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway.Note that root is not asked for an old password so the checks that compare the old and new password are not performed.

which means that check that compare the old password with the new one (difok in our case) will be ignored.

Answer 2

Possible duplicate of https://unix.stackexchange.com/questions/239002/why-roots-password-change-doesnt-require-old-password. In short: When you change the password for root it does not check for the old password, because this check would be pointless as it adds no additional security.