1PAM_CRACKLIB(8) Linux-PAM Manual PAM_CRACKLIB(8)
2
6 pam_cracklib - PAM module to check the password against dictionary
7 words
8
10 pam_cracklib.so [...]
11
13 This module can be plugged into the password stack of a given
14 application to provide some plug-in strength-checking for passwords.
15 The action of this module is to prompt the user for a password and
17 check its strength against a system dictionary and a set of rules for
18 identifying poor choices.
19 The first action is to prompt for a single password, check its strength
21 and then, if it is considered strong, prompt for the password a second
22 time (to verify that it was typed correctly on the first occasion). All
23 being well, the password is passed on to subsequent modules to be
24 installed as the new authentication token.
25 The strength checks works in the following manner: at first the
27 Cracklib routine is called to check if the password is part of a
28 dictionary; if this is not the case an additional set of strength
29 checks is done. These checks are:
30 Palindrome
32 Is the new password a palindrome?
33 Case Change Only
35 Is the new password the the old one with only a change of case?
36 Similar
38 Is the new password too much like the old one? This is primarily
39 controlled by one argument, difok which is a number of characters
40 that if different between the old and new are enough to accept the
41 new password, this defaults to 10 or 1/2 the size of the new
42 password whichever is smaller.
43 To avoid the lockup associated with trying to change a long and
45 complicated password, difignore is available. This argument can be
46 used to specify the minimum length a new password needs to be
47 before the difok value is ignored. The default value for difignore
48 is 23.
49 Simple
51 Is the new password too small? This is controlled by 5 arguments
52 minlen, dcredit, ucredit, lcredit, and ocredit. See the section on
53 the arguments for the details of how these work and there defaults.
54 Rotated
56 Is the new password a rotated version of the old password?
57 Same consecutive characters
59 Optional check for same consecutive characters.
60 Contains user name
62 Optional check whether the password contains the user´s name in
63 some form.
64 This module with no arguments will work well for standard unix password
66 encryption. With md5 encryption, passwords can be longer than 8
67 characters and the default settings for this module can make it hard
68 for the user to choose a satisfactory new password. Notably, the
69 requirement that the new password contain no more than 1/2 of the
70 characters in the old password becomes a non-trivial constraint. For
71 example, an old password of the form "the quick brown fox jumped over
72 the lazy dogs" would be difficult to change... In addition, the default
73 action is to allow passwords as small as 5 characters in length. For a
74 md5 systems it can be a good idea to increase the required minimum size
75 of a password. One can then allow more credit for different kinds of
76 characters but accept that the new password may share most of these
77 characters with the old password.
78
80 debug
81 This option makes the module write information to syslog(3)
82 indicating the behavior of the module (this option does not write
83 password information to the log file).
84 authtok_type=XXX
86 The default action is for the module to use the following prompts
87 when requesting passwords: "New UNIX password: " and "Retype UNIX
88 password: ". The example word UNIX can be replaced with this
89 option, by default it is empty.
90 retry=N
92 Prompt user at most N times before returning with error. The
93 default is 1.
94 difok=N
96 This argument will change the default of 5 for the number of
97 characters in the new password that must not be present in the old
98 password. In addition, if 1/2 of the characters in the new password
99 are different then the new password will be accepted anyway.
100 difignore=N
102 How many characters should the password have before difok will be
103 ignored. The default is 23.
104 minlen=N
106 The minimum acceptable size for the new password (plus one if
107 credits are not disabled which is the default). In addition to the
108 number of characters in the new password, credit (of +1 in length)
109 is given for each different kind of character (other, upper, lower
110 and digit). The default for this parameter is 9 which is good for a
111 old style UNIX password all of the same type of character but may
112 be too low to exploit the added security of a md5 system. Note that
113 there is a pair of length limits in Cracklib itself, a "way too
114 short" limit of 4 which is hard coded in and a defined limit (6)
115 that will be checked without reference to minlen. If you want to
116 allow passwords as short as 5 characters you should not use this
117 module.
118 dcredit=N
120 (N >= 0) This is the maximum credit for having digits in the new
121 password. If you have less than or N digits, each digit will count
122 +1 towards meeting the current minlen value. The default for
123 dcredit is 1 which is the recommended value for minlen less than
124 10.
125 (N < 0) This is the minimum number of digits that must be met for a
127 new password.
128 ucredit=N
130 (N >= 0) This is the maximum credit for having upper case letters
131 in the new password. If you have less than or N upper case letters
132 each letter will count +1 towards meeting the current minlen value.
133 The default for ucredit is 1 which is the recommended value for
134 minlen less than 10.
135 (N < 0) This is the minimum number of upper case letters that must
137 be met for a new password.
138 lcredit=N
140 (N >= 0) This is the maximum credit for having lower case letters
141 in the new password. If you have less than or N lower case letters,
142 each letter will count +1 towards meeting the current minlen value.
143 The default for lcredit is 1 which is the recommended value for
144 minlen less than 10.
145 (N < 0) This is the minimum number of lower case letters that must
147 be met for a new password.
148 ocredit=N
150 (N >= 0) This is the maximum credit for having other characters in
151 the new password. If you have less than or N other characters, each
152 character will count +1 towards meeting the current minlen value.
153 The default for ocredit is 1 which is the recommended value for
154 minlen less than 10.
155 (N < 0) This is the minimum number of other characters that must be
157 met for a new password.
158 minclass=N
160 The minimum number of required classes of characters for the new
161 password. The default number is zero. The four classes are digits,
162 upper and lower letters and other characters. The difference to the
163 credit check is that a specific class if of characters is not
164 required. Instead N out of four of the classes are required.
165 maxrepeat=N
167 Reject passwords which contain more than N same consecutive
168 characters. The default is 0 which means that this check is
169 disabled.
170 reject_username
172 Check whether the name of the user in straight or reversed form is
173 contained in the new password. If it is found the new password is
174 rejected.
175 use_authtok
177 This argument is used to force the module to not prompt the user
178 for a new password but use the one provided by the previously
179 stacked password module.
180 dictpath=/path/to/dict
182 Path to the cracklib dictionaries.
183
185 Only the password module type is provided.
186
188 PAM_SUCCESS
189 The new password passes all checks.
190 PAM_AUTHTOK_ERR
192 No new password was entered, the username could not be determined
193 or the new password fails the strength checks.
194 PAM_AUTHTOK_RECOVERY_ERR
196 The old password was not supplied by a previous stacked module or
197 got not requested from the user. The first error can happen if
198 use_authtok is specified.
199 PAM_SERVICE_ERR
201 A internal error occurred.
202
204 For an example of the use of this module, we show how it may be stacked
205 with the password component of pam_unix(8)
206 #
208 # These lines stack two password type modules. In this example the
209 # user is given 3 opportunities to enter a strong password. The
210 # "use_authtok" argument ensures that the pam_unix module does not
211 # prompt for a password, but instead uses the one provided by
212 # pam_cracklib.
213 #
214 passwd password required pam_cracklib.so retry=3
215 passwd password required pam_unix.so use_authtok
216 Another example (in the /etc/pam.d/passwd format) is for the case that
219 you want to use md5 password encryption:
220 #%PAM-1.0
222 #
223 # These lines allow a md5 systems to support passwords of at least 14
224 # bytes with extra credit of 2 for digits and 2 for others the new
225 # password must have at least three bytes that are not present in the
226 # old password
227 #
228 password required pam_cracklib.so \
229 difok=3 minlen=15 dcredit= 2 ocredit=2
230 password required pam_unix.so use_authtok nullok md5
231 And here is another example in case you don´t want to use credits:
234 #%PAM-1.0
236 #
237 # These lines require the user to select a password with a minimum
238 # length of 8 and with at least 1 digit number, 1 upper case letter,
239 # and 1 other character
240 #
241 password required pam_cracklib.so \
242 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
243 password required pam_unix.so use_authtok nullok md5
244
248 pam.conf(5), pam.d(5), pam(8)
249
251 pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
252Linux-PAM Manual 06/16/2009 PAM_CRACKLIB(8)