pam_pwcheck(8)
NAME
pam_pwcheck - PAM module for password strength checking
DESCRIPTION
The pam_pwcheck is a PAM module for password strength
checking. It makes additional checks upon password
changes, but it doesn't make the change itself. It only
provides functionality for one PAM management group: pass_
word changing.
This module works in the following manner: if enabled it
calls at first the Cracklib routine to check the strength
of the password; if crack likes the password, the module
does an additional set of strength checks. These checks
are:
- Palindrome
- Is the new password a palindrome of the old one?
- Case Change Only
- Is the new password the the old one with only a
change of case? - Similar
- Is the new password too much like the old one?
- Simple Is the new password too small?
- Rotated
- Is the new password a rotated version of the old
password? - Already used
- Was the password used in the past? Previously used
passwords are to be found in /etc/security/opasswd. - You can add the options in the PAM configuration files for
every single service or you can add them global in
/etc/security/pam_pwcheck.conf.
OPTIONS
The following options may be passed to the module:
- blowfish
- This is a new password encryption method used by
OpenBSD and the Openwall Linux distribution. This
option means only, that a password could be 97
characters long. Longer passwords will be trun
cated. The encryption itself is done by the PAM
module who stores the password. - cracklib=<path to dictionaries>
- Use cracklib library for password checks. This
parameter also contains the path to the cracklib
dictionaries. The default is /usr/lib/crack lib_dict. - debug A lot of debug informations are print with sys
- log(3).
- maxlen=number
- Number of significant characters in the password
for crypt(3). Default is 8, don't change this
unless your crypt() is better. This option is
ignored if the "md5" or "blowfish" option is given. - minlen=number
- The minimum number of characters in an acceptable
password. A new password with fewer characters
will be rejected. A zero value suppresses this
check. The default is 5. - nisdir=<path>
- This options specifies a path to the source files
for NIS maps on a NIS master server. If this option
is given, the passwords of NIS accounts will not be
changed with yppasswd(1), instead the local passwd and shadow files below <path> will be modified. In conjunction with rpasswdd(8) and pam_make you can replace rpc.yppasswdd(8) with a more secure solu tion on the NIS master server. - no_obscure_checks
- No additional checks will be performed before a new
password is accepted. Since the checks performed
are fairly simple, their usage is recommended. - not_set_pass
- If this option is given, pam_pwcheck will not make the new password available for other modules.
- nullok Normally the account is disabled if no password is
- set or if the length of the password is zero. With
this option you can allow the user to change his
password for such accounts. This option does not
overwrite a hardcoded default by the calling pro
cess. - tries=number
- Maximum number of attempts to change a password if
the new one are rejected because they are too easy. - use_authtok
- Set the new password to the one provided by the
previously stacked password module. If this option
is not set, pam_pwcheck would ask the user for the new password. - use_first_pass
- The default is, that pam_pwcheck tries to get the
authentication token from a previous module. If no
token is available, the user is asked for the old
password. With this option, pam_pwcheck aborts with an error if no authentication token from a
previous module is available. - md5 In the case of conventional unix databases (which
- store the password encrypted) the md5 argument is
used to do the encryption with the MD5 function as
opposed to the conventional crypt(3) call. - bigcrypt
- As an alternative to md5, the bigcrypt argument can
be used to encrypt more than the first 8 characters
of a password with DEC's (Digital Equipment Cooper
ation) `C2' extension to the standard UNIX crypt()
algorithm. - remember=XX
- remember the last XX number of passwords and don't
allow the user to use it again for the next XX
password changes. XX is a number between 1 and 400.
FILES
/etc/security/pam_pwcheck.conf
/etc/security/opasswd