pam_authtok_check - authentication and password
management module
SYNOPSIS
pam_authtok_check.so.1
DESCRIPTION
pam_authtok_check provides functionality to the Password
Management stack. The implementation of pam_sm_chauthtok()
performs a number of checks on the construction of the newly entered password. pam_sm_chauthtok() is invoked twice by the PAM framework, once with
flags set to PAM_PRELIM_CHECK, and once with flags set
to PAM_UPDATE_AUTHTOK. This module only performs its checks
during the first invocation. This module expects the current authentication
token in the PAM_OLDAUTHTOK item, the new (to be checked)
password in the PAM_AUTHTOK item, and the login name in
the PAM_USER item. The checks performed by this module
are:
length
The password length should
not be less that the minimum specified in /etc/default/passwd.
circular shift
The password should
not be a circular shift of the login name. This check may be disabled in /etc/default/passwd.
complexity
The password should contain
at least the minimum number of characters described by the parameters MINALPHA, MINNONALPHA, MINDIGIT,
and MINSPECIAL. Note that MINNONALPHA
describes the same character classes as MINDIGIT and MINSPECIAL combined; therefore the user cannot specify both MINNONALPHA and MINSPECIAL (or MINDIGIT). The user must choose which of the two options to use. Furthermore,
the WHITESPACE parameter determines whether whitespace
characters are allowed. If unspecified MINALPHA is 2, MINNONALPHA is 1 and WHITESPACE is yes
variation
The old and new passwords
must differ by at least the MINDIFF value specified in /etc/default/passwd. If unspecified, the default is 3. For accounts
in name services which support password history checking, if prior history
is defined, the new password must not match the prior passwords.
dictionary check
The password must
not be based on a dictionary word. The list of words to be used for the site's
dictionary can be specified with DICTIONLIST. It should
contain a comma-separated list of filenames, one word per line. The database
that is created from these files is stored in the directory named by DICTIONDBDIR (defaults to /var/passwd). See mkpwdict(1M) for
information on pre-generating the database. If neither DICTIONLIST nor DICTIONDBDIR is specified, no dictionary
check is made.
upper/lower case
The password must
contain at least the minimum of upper- and lower-case letters specified by
the MINUPPER and MINLOWER values in /etc/default/passwd. If unspecified, the defaults are 0.
maximum repeats
The password must
not contain more consecutively repeating characters than specified by the MAXREPEATS value in /etc/default/passwd. If
unspecified, no repeat character check is made.
The following option may be passed to the module:
force_check
If the PAM_NO_AUTHTOK_CHECK flag set, force_check ignores this flag. The PAM_NO_AUTHTOK_CHECK flag can be set to bypass password checks (see pam_chauthtok(3PAM)).
debug
syslog(3C) debugging information at
the LOG_DEBUG level
RETURN VALUES
If the password in PAM_AUTHTOK passes all tests, PAM_SUCCESS is returned. If any of the tests fail, PAM_AUTHTOK_ERR is returned.
