1PWQUALITY.CONF(5)             File Formats Manual            PWQUALITY.CONF(5)
2
3
4

NAME

6       pwquality.conf - configuration for the libpwquality library
7

SYNOPSIS

9       /etc/security/pwquality.conf
10
11       /etc/security/pwquality.conf.d/*.conf
12

DESCRIPTION

14       pwquality.conf provides a way to configure the default password quality
15       requirements for the system passwords. This file is read by the
16       libpwquality library and utilities that use this library for checking
17       and generating passwords.
18
19       The file has a very simple name = value format with possible comments
20       starting with "#" character. The whitespace at the beginning of line,
21       end of line, and around the "=" sign is ignored.
22
23       The libpwquality library also first reads all *.conf files from the
24       /etc/security/pwquality.conf.d directory in ASCII sorted order. The
25       values of the same settings are overriden in the order the files are
26       parsed.
27

OPTIONS

29       The possible options in the file are:
30
31       difok
32           Number of characters in the new password that must not be present
33           in the old password. (default 1)
34
35           The special value of 0 disables all checks of similarity of the new
36           password with the old password except the new password being
37           exactly the same as the old one.
38
39       minlen
40           Minimum acceptable size for the new password (plus one if credits
41           are not disabled which is the default). (See pam_pwquality(8).)
42           Cannot be set to lower value than 6. (default 8)
43
44       dcredit
45           The maximum credit for having digits in the new password. If less
46           than 0 it is the minimum number of digits in the new password.
47           (default 0)
48
49       ucredit
50           The maximum credit for having uppercase characters in the new
51           password.  If less than 0 it is the minimum number of uppercase
52           characters in the new password. (default 0)
53
54       lcredit
55           The maximum credit for having lowercase characters in the new
56           password.  If less than 0 it is the minimum number of lowercase
57           characters in the new password. (default 0)
58
59       ocredit
60           The maximum credit for having other characters in the new password.
61           If less than 0 it is the minimum number of other characters in the
62           new password. (default 0)
63
64       minclass
65           The minimum number of required classes of characters for the new
66           password (digits, uppercase, lowercase, others). (default 0)
67
68       maxrepeat
69           The maximum number of allowed same consecutive characters in the
70           new password.  The check is disabled if the value is 0. (default 0)
71
72       maxsequence
73           The maximum length of monotonic character sequences in the new
74           password.  Examples of such sequence are '12345' or 'fedcb'. Note
75           that most such passwords will not pass the simplicity check unless
76           the sequence is only a minor part of the password.  The check is
77           disabled if the value is 0. (default 0)
78
79       maxclassrepeat
80           The maximum number of allowed consecutive characters of the same
81           class in the new password.  The check is disabled if the value is
82           0. (default 0)
83
84       gecoscheck
85           If nonzero, check whether the words longer than 3 characters from
86           the GECOS field of the user's passwd(5) entry are contained in the
87           new password.  The check is disabled if the value is 0. (default 0)
88
89       dictcheck
90           If nonzero, check whether the password (with possible
91           modifications) matches a word in a dictionary. Currently the
92           dictionary check is performed using the cracklib library. (default
93           1)
94
95       usercheck=N
96           If nonzero, check whether the password (with possible
97           modifications) contains the user name in some form. It is not
98           performed for user names shorter than 3 characters. (default 1)
99
100       enforcing=N
101           If nonzero, reject the password if it fails the checks, otherwise
102           only print the warning. This setting applies only to the
103           pam_pwquality module and possibly other applications that
104           explicitly change their behavior based on it. It does not affect
105           pwmake(1) and pwscore(1). (default 1)
106
107       badwords
108           Space separated list of words that must not be contained in the
109           password. These are additional words to the cracklib dictionary
110           check. This setting can be also used by applications to emulate the
111           gecos check for user accounts that are not created yet.
112
113       dictpath
114           Path to the cracklib dictionaries. Default is to use the cracklib
115           default.
116

SEE ALSO

118       pwscore(1), pwmake(1), pam_pwquality(8)
119

AUTHORS

121       Tomas Mraz <tmraz@redhat.com>
122
123
124
125Red Hat, Inc.                     2017-05-26                 PWQUALITY.CONF(5)
Impressum