1PWQUALITY.CONF(5) File Formats Manual PWQUALITY.CONF(5)
2
6 pwquality.conf - configuration for the libpwquality library
7
9 /etc/security/pwquality.conf
10 /etc/security/pwquality.conf.d/*.conf
12
14 pwquality.conf provides a way to configure the default password quality
15 requirements for the system passwords. This file is read by the
16 libpwquality library and utilities that use this library for checking
17 and generating passwords.
18 The file has a very simple name = value format with possible comments
20 starting with "#" character. The whitespace at the beginning of line,
21 end of line, and around the "=" sign is ignored.
22 The libpwquality library also first reads all *.conf files from the
24 /etc/security/pwquality.conf.d directory in ASCII sorted order. The
25 values of the same settings are overridden in the order the files are
26 parsed.
27
29 The possible options in the file are:
30 difok
32 Number of characters in the new password that must not be present
33 in the old password. (default 1)
34 The special value of 0 disables all checks of similarity of the new
36 password with the old password except the new password being
37 exactly the same as the old one.
38 minlen
40 Minimum acceptable size for the new password (plus one if credits
41 are not disabled which is the default). (See pam_pwquality(8).)
42 Cannot be set to lower value than 6. (default 8)
43 dcredit
45 The maximum credit for having digits in the new password. If less
46 than 0 it is the minimum number of digits in the new password.
47 (default 0)
48 ucredit
50 The maximum credit for having uppercase characters in the new
51 password. If less than 0 it is the minimum number of uppercase
52 characters in the new password. (default 0)
53 lcredit
55 The maximum credit for having lowercase characters in the new
56 password. If less than 0 it is the minimum number of lowercase
57 characters in the new password. (default 0)
58 ocredit
60 The maximum credit for having other characters in the new password.
61 If less than 0 it is the minimum number of other characters in the
62 new password. (default 0)
63 minclass
65 The minimum number of required classes of characters for the new
66 password (digits, uppercase, lowercase, others). (default 0)
67 maxrepeat
69 The maximum number of allowed same consecutive characters in the
70 new password. The check is disabled if the value is 0. (default 0)
71 maxsequence
73 The maximum length of monotonic character sequences in the new
74 password. Examples of such sequence are '12345' or 'fedcb'. Note
75 that most such passwords will not pass the simplicity check unless
76 the sequence is only a minor part of the password. The check is
77 disabled if the value is 0. (default 0)
78 maxclassrepeat
80 The maximum number of allowed consecutive characters of the same
81 class in the new password. The check is disabled if the value is
82 0. (default 0)
83 gecoscheck
85 If nonzero, check whether the words longer than 3 characters from
86 the GECOS field of the user's passwd(5) entry are contained in the
87 new password. The check is disabled if the value is 0. (default 0)
88 dictcheck
90 If nonzero, check whether the password (with possible
91 modifications) matches a word in a dictionary. Currently the
92 dictionary check is performed using the cracklib library. (default
93 1)
94 usercheck=N
96 If nonzero, check whether the password (with possible
97 modifications) contains the user name in some form. It is not
98 performed for user names shorter than 3 characters. (default 1)
99 usersubstr=N
101 If greater than 3 (due to the minimum length in usercheck), check
102 whether the password contains a substring of at least N length in
103 some form. (default 0)
104 enforcing=N
106 If nonzero, reject the password if it fails the checks, otherwise
107 only print the warning. This setting applies only to the
108 pam_pwquality module and possibly other applications that
109 explicitly change their behavior based on it. It does not affect
110 pwmake(1) and pwscore(1). (default 1)
111 badwords
113 Space separated list of words that must not be contained in the
114 password. These are additional words to the cracklib dictionary
115 check. This setting can be also used by applications to emulate the
116 gecos check for user accounts that are not created yet.
117 dictpath
119 Path to the cracklib dictionaries. Default is to use the cracklib
120 default.
121 retry=N
123 Prompt user at most N times before returning with error. The
124 default is 1.
125 enforce_for_root
127 The module will return error on failed check even if the user
128 changing the password is root. This option is off by default which
129 means that just the message about the failed check is printed but
130 root can change the password anyway. Note that root is not asked
131 for an old password so the checks that compare the old and new
132 password are not performed.
133 local_users_only
135 The module will not test the password quality for users that are
136 not present in the /etc/passwd file. The module still asks for the
137 password so the following modules in the stack can use the
138 use_authtok option. This option is off by default.
139
141 pwscore(1), pwmake(1), pam_pwquality(8)
142
144 Tomas Mraz <tmraz@redhat.com>
145Red Hat, Inc. 2020-08-03 PWQUALITY.CONF(5)