From 44ab821084cb51c869642a7b7b9da950d5137a3e Mon Sep 17 00:00:00 2001
From: David Pilnik <davidpil@nvidia.com>
Date: Tue, 31 Oct 2023 13:56:08 +0200
Subject: [PATCH] password hardening: support feature in Debian 12 by using
 pam_pwquality.so lib instead pam_cracklib.so, since it not supported in
 Debian 12

---
 files/build_templates/sonic_debian_extension.j2           | 2 +-
 src/sonic-host-services-data/templates/common-password.j2 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
index 848911433c9..4c02cb9792d 100644
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@@ -270,7 +270,7 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-device-data_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 
 # package for supporting password hardening
-sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libpam-cracklib
+sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libpam-pwquality
 
 # Install pam-tacplus and nss-tacplus
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libtac2_*.deb || \
diff --git a/src/sonic-host-services-data/templates/common-password.j2 b/src/sonic-host-services-data/templates/common-password.j2
index c5fd3f889c2..91b46928125 100644
--- a/src/sonic-host-services-data/templates/common-password.j2
+++ b/src/sonic-host-services-data/templates/common-password.j2
@@ -26,7 +26,7 @@
 
 {% if passw_policies %}
 {% if passw_policies['state'] == 'enabled' %}
-password    requisite      pam_cracklib.so retry=3 maxrepeat=0 {% if passw_policies['len_min'] %}minlen={{passw_policies['len_min']}}{% endif %} {% if passw_policies['upper_class'] %}ucredit=-1{% else %}ucredit=0{% endif %} {% if passw_policies['lower_class'] %}lcredit=-1{% else %}lcredit=0{% endif %} {% if passw_policies['digits_class'] %}dcredit=-1{% else %}dcredit=0{% endif %} {% if passw_policies['special_class'] %}ocredit=-1{% else %}ocredit=0{% endif %} {% if passw_policies['reject_user_passw_match'] %}reject_username{% endif %} enforce_for_root
+password    requisite      pam_pwquality.so retry=3 maxrepeat=0 {% if passw_policies['len_min'] %}minlen={{passw_policies['len_min']}}{% endif %} {% if passw_policies['upper_class'] %}ucredit=-1{% else %}ucredit=0{% endif %} {% if passw_policies['lower_class'] %}lcredit=-1{% else %}lcredit=0{% endif %} {% if passw_policies['digits_class'] %}dcredit=-1{% else %}dcredit=0{% endif %} {% if passw_policies['special_class'] %}ocredit=-1{% else %}ocredit=0{% endif %} {% if passw_policies['reject_user_passw_match'] %}reject_username{% endif %} enforce_for_root dictcheck=0
 
 password    required       pam_pwhistory.so {% if passw_policies['history_cnt'] %}remember={{passw_policies['history_cnt']}}{% endif %} use_authtok enforce_for_root
 {% endif %}