1PAM_CRACKLIB(8) Linux-PAM Manual PAM_CRACKLIB(8)
2
6 pam_cracklib - PAM module to check the password against dictionary
7 words
8
10 pam_cracklib.so [...]
11
13 This module can be plugged into the password stack of a given
14 application to provide some plug-in strength-checking for passwords.
15 The action of this module is to prompt the user for a password and
17 check its strength against a system dictionary and a set of rules for
18 identifying poor choices.
19 The first action is to prompt for a single password, check its strength
21 and then, if it is considered strong, prompt for the password a second
22 time (to verify that it was typed correctly on the first occasion). All
23 being well, the password is passed on to subsequent modules to be
24 installed as the new authentication token.
25 The strength checks works in the following manner: at first the
27 Cracklib routine is called to check if the password is part of a
28 dictionary; if this is not the case an additional set of strength
29 checks is done. These checks are:
30 Palindrome
32 Is the new password a palindrome of the old one?
33 Case Change Only
35 Is the new password the the old one with only a change of case?
36 Similar
38 Is the new password too much like the old one? This is primarily
39 controlled by one argument, difok which is a number of characters
40 that if different between the old and new are enough to accept the
41 new password, this defaults to 10 or 1/2 the size of the new
42 password whichever is smaller.
43 To avoid the lockup associated with trying to change a long and
45 complicated password, difignore is available. This argument can be
46 used to specify the minimum length a new password needs to be before
47 the difok value is ignored. The default value for difignore is 23.
48 Simple
50 Is the new password too small? This is controlled by 5 arguments
51 minlen, dcredit, ucredit, lcredit, and ocredit. See the section on
52 the arguments for the details of how these work and there defaults.
53 Rotated
55 Is the new password a rotated version of the old password?
56 Already used
58 Was the password used in the past? Previously used passwords are to
59 be found in /etc/security/opasswd.
60 This module with no arguments will work well for standard unix password
62 encryption. With md5 encryption, passwords can be longer than 8
63 characters and the default settings for this module can make it hard
64 for the user to choose a satisfactory new password. Notably, the
65 requirement that the new password contain no more than 1/2 of the
66 characters in the old password becomes a non-trivial constraint. For
67 example, an old password of the form "the quick brown fox jumped over
68 the lazy dogs" would be difficult to change... In addition, the default
69 action is to allow passwords as small as 5 characters in length. For a
70 md5 systems it can be a good idea to increase the required minimum size
71 of a password. One can then allow more credit for different kinds of
72 characters but accept that the new password may share most of these
73 characters with the old password.
74
76 debug
77 This option makes the module write information to syslog(3)
78 indicating the behavior of the module (this option does not write
79 password information to the log file).
80 type=XXX
82 The default action is for the module to use the following prompts
83 when requesting passwords: "New UNIX password: " and "Retype UNIX
84 password: ". The default word UNIX can be replaced with this option.
85 retry=N
87 Prompt user at most N times before returning with error. The default
88 is 1
89 difok=N
91 This argument will change the default of 5 for the number of
92 characters in the new password that must not be present in the old
93 password. In addition, if 1/2 of the characters in the new password
94 are different then the new password will be accepted anyway.
95 difignore=N
97 How many characters should the password have before difok will be
98 ignored. The default is 23.
99 minlen=N
101 The minimum acceptable size for the new password (plus one if
102 credits are not disabled which is the default). In addition to the
103 number of characters in the new password, credit (of +1 in length)
104 is given for each different kind of character (other, upper, lower
105 and digit). The default for this parameter is 9 which is good for a
106 old style UNIX password all of the same type of character but may be
107 too low to exploit the added security of a md5 system. Note that
108 there is a pair of length limits in Cracklib itself, a "way too
109 short" limit of 4 which is hard coded in and a defined limit (6)
110 that will be checked without reference to minlen. If you want to
111 allow passwords as short as 5 characters you should not use this
112 module.
113 dcredit=N
115 (N >= 0) This is the maximum credit for having digits in the new
116 password. If you have less than or N digits, each digit will count
117 +1 towards meeting the current minlen value. The default for dcredit
118 is 1 which is the recommended value for minlen less than 10.
119 (N < 0) This is the minimum number of digits that must be met for a
121 new password.
122 ucredit=N
124 (N >= 0) This is the maximum credit for having upper case letters in
125 the new password. If you have less than or N upper case letters each
126 letter will count +1 towards meeting the current minlen value. The
127 default for ucredit is 1 which is the recommended value for minlen
128 less than 10.
129 (N > 0) This is the minimum number of upper case letters that must
131 be met for a new password.
132 lcredit=N
134 (N >= 0) This is the maximum credit for having lower case letters in
135 the new password. If you have less than or N lower case letters,
136 each letter will count +1 towards meeting the current minlen value.
137 The default for lcredit is 1 which is the recommended value for
138 minlen less than 10.
139 (N < 0) This is the minimum number of lower case letters that must
141 be met for a new password.
142 ocredit=N
144 (N >= 0) This is the maximum credit for having other characters in
145 the new password. If you have less than or N other characters, each
146 character will count +1 towards meeting the current minlen value.
147 The default for ocredit is 1 which is the recommended value for
148 minlen less than 10.
149 (N < 0) This is the minimum number of other characters that must be
151 met for a new password.
152 use_authtok
154 This argument is used to force the module to not prompt the user for
155 a new password but use the one provided by the previously stacked
156 password module.
157 dictpath=/path/to/dict
159 Path to the cracklib dictionaries.
160
162 Only he password service is supported.
163
165 PAM_SUCCESS
166 The new password passes all checks.
167 PAM_AUTHTOK_ERR
169 No new password was entered, the username could not be determined or
170 the new password fails the strength checks.
171 PAM_AUTHTOK_RECOVERY_ERR
173 The old password was not supplied by a previous stackked module or
174 got not requested from the user. The first error can happen if
175 use_authtok is specified.
176 PAM_SERVICE_ERR
178 A internal error occured.
179
181 For an example of the use of this module, we show how it may be stacked
182 with the password component of pam_unix(8)
183 #
185 # These lines stack two password type modules. In this example the
186 # user is given 3 opportunities to enter a strong password. The
187 # "use_authtok" argument ensures that the pam_unix module does not
188 # prompt for a password, but instead uses the one provided by
189 # pam_cracklib.
190 #
191 passwd password required pam_cracklib.so retry=3
192 passwd password required pam_unix.so use_authtok
193 Another example (in the /etc/pam.d/passwd format) is for the case that
197 you want to use md5 password encryption:
198 #%PAM-1.0
200 #
201 # These lines allow a md5 systems to support passwords of at least 14
202 # bytes with extra credit of 2 for digits and 2 for others the new
203 # password must have at least three bytes that are not present in the
204 # old password
205 #
206 password required pam_cracklib.so \
207 difok=3 minlen=15 dcredit= 2 ocredit=2
208 password required pam_unix.so use_authtok nullok md5
209 And here is another example in case you don't want to use credits:
213 #%PAM-1.0
215 #
216 # These lines require the user to select a password with a minimum
217 # length of 8 and with at least 1 digit number, 1 upper case letter,
218 # and 1 other character
219 #
220 password required pam_cracklib.so \
221 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
222 password required pam_unix.so use_authtok nullok md5
223
227 pam.conf(5), pam.d(8), pam(8)
228
230 pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
231Linux-PAM Manual 06/02/2006 PAM_CRACKLIB(8)