1PAM_CRACKLIB(8)                Linux-PAM Manual                PAM_CRACKLIB(8)
2
3
4

NAME

6       pam_cracklib - PAM module to check the password against dictionary
7       words
8

SYNOPSIS

10       pam_cracklib.so [...]
11

DESCRIPTION

13       This module can be plugged into the password stack of a given
14       application to provide some plug-in strength-checking for passwords.
15
16       The action of this module is to prompt the user for a password and
17       check its strength against a system dictionary and a set of rules for
18       identifying poor choices.
19
20       The first action is to prompt for a single password, check its strength
21       and then, if it is considered strong, prompt for the password a second
22       time (to verify that it was typed correctly on the first occasion). All
23       being well, the password is passed on to subsequent modules to be
24       installed as the new authentication token.
25
26       The strength checks works in the following manner: at first the
27       Cracklib routine is called to check if the password is part of a
28       dictionary; if this is not the case an additional set of strength
29       checks is done. These checks are:
30
31       Palindrome
32          Is the new password a palindrome of the old one?
33
34       Case Change Only
35          Is the new password the the old one with only a change of case?
36
37       Similar
38          Is the new password too much like the old one? This is primarily
39          controlled by one argument, difok which is a number of characters
40          that if different between the old and new are enough to accept the
41          new password, this defaults to 10 or 1/2 the size of the new
42          password whichever is smaller.
43
44          To avoid the lockup associated with trying to change a long and
45          complicated password, difignore is available. This argument can be
46          used to specify the minimum length a new password needs to be before
47          the difok value is ignored. The default value for difignore is 23.
48
49       Simple
50          Is the new password too small? This is controlled by 5 arguments
51          minlen, dcredit, ucredit, lcredit, and ocredit. See the section on
52          the arguments for the details of how these work and there defaults.
53
54       Rotated
55          Is the new password a rotated version of the old password?
56
57       Already used
58          Was the password used in the past? Previously used passwords are to
59          be found in /etc/security/opasswd.
60
61       This module with no arguments will work well for standard unix password
62       encryption. With md5 encryption, passwords can be longer than 8
63       characters and the default settings for this module can make it hard
64       for the user to choose a satisfactory new password. Notably, the
65       requirement that the new password contain no more than 1/2 of the
66       characters in the old password becomes a non-trivial constraint. For
67       example, an old password of the form "the quick brown fox jumped over
68       the lazy dogs" would be difficult to change... In addition, the default
69       action is to allow passwords as small as 5 characters in length. For a
70       md5 systems it can be a good idea to increase the required minimum size
71       of a password. One can then allow more credit for different kinds of
72       characters but accept that the new password may share most of these
73       characters with the old password.
74

OPTIONS

76       debug
77          This option makes the module write information to syslog(3)
78          indicating the behavior of the module (this option does not write
79          password information to the log file).
80
81       type=XXX
82          The default action is for the module to use the following prompts
83          when requesting passwords: "New UNIX password: " and "Retype UNIX
84          password: ". The default word UNIX can be replaced with this option.
85
86       retry=N
87          Prompt user at most N times before returning with error. The default
88          is 1
89
90       difok=N
91          This argument will change the default of 5 for the number of
92          characters in the new password that must not be present in the old
93          password. In addition, if 1/2 of the characters in the new password
94          are different then the new password will be accepted anyway.
95
96       difignore=N
97          How many characters should the password have before difok will be
98          ignored. The default is 23.
99
100       minlen=N
101          The minimum acceptable size for the new password (plus one if
102          credits are not disabled which is the default). In addition to the
103          number of characters in the new password, credit (of +1 in length)
104          is given for each different kind of character (other, upper, lower
105          and digit). The default for this parameter is 9 which is good for a
106          old style UNIX password all of the same type of character but may be
107          too low to exploit the added security of a md5 system. Note that
108          there is a pair of length limits in Cracklib itself, a "way too
109          short" limit of 4 which is hard coded in and a defined limit (6)
110          that will be checked without reference to minlen. If you want to
111          allow passwords as short as 5 characters you should not use this
112          module.
113
114       dcredit=N
115          (N >= 0) This is the maximum credit for having digits in the new
116          password. If you have less than or N digits, each digit will count
117          +1 towards meeting the current minlen value. The default for dcredit
118          is 1 which is the recommended value for minlen less than 10.
119
120          (N < 0) This is the minimum number of digits that must be met for a
121          new password.
122
123       ucredit=N
124          (N >= 0) This is the maximum credit for having upper case letters in
125          the new password. If you have less than or N upper case letters each
126          letter will count +1 towards meeting the current minlen value. The
127          default for ucredit is 1 which is the recommended value for minlen
128          less than 10.
129
130          (N > 0) This is the minimum number of upper case letters that must
131          be met for a new password.
132
133       lcredit=N
134          (N >= 0) This is the maximum credit for having lower case letters in
135          the new password. If you have less than or N lower case letters,
136          each letter will count +1 towards meeting the current minlen value.
137          The default for lcredit is 1 which is the recommended value for
138          minlen less than 10.
139
140          (N < 0) This is the minimum number of lower case letters that must
141          be met for a new password.
142
143       ocredit=N
144          (N >= 0) This is the maximum credit for having other characters in
145          the new password. If you have less than or N other characters, each
146          character will count +1 towards meeting the current minlen value.
147          The default for ocredit is 1 which is the recommended value for
148          minlen less than 10.
149
150          (N < 0) This is the minimum number of other characters that must be
151          met for a new password.
152
153       use_authtok
154          This argument is used to force the module to not prompt the user for
155          a new password but use the one provided by the previously stacked
156          password module.
157
158       dictpath=/path/to/dict
159          Path to the cracklib dictionaries.
160

MODULE SERVICES PROVIDED

162       Only he password service is supported.
163

RETURN VALUES

165       PAM_SUCCESS
166          The new password passes all checks.
167
168       PAM_AUTHTOK_ERR
169          No new password was entered, the username could not be determined or
170          the new password fails the strength checks.
171
172       PAM_AUTHTOK_RECOVERY_ERR
173          The old password was not supplied by a previous stackked module or
174          got not requested from the user. The first error can happen if
175          use_authtok is specified.
176
177       PAM_SERVICE_ERR
178          A internal error occured.
179

EXAMPLES

181       For an example of the use of this module, we show how it may be stacked
182       with the password component of pam_unix(8)
183
184          #
185          # These lines stack two password type modules. In this example the
186          # user is given 3 opportunities to enter a strong password. The
187          # "use_authtok" argument ensures that the pam_unix module does not
188          # prompt for a password, but instead uses the one provided by
189          # pam_cracklib.
190          #
191          passwd  password required       pam_cracklib.so retry=3
192          passwd  password required       pam_unix.so use_authtok
193
194
195
196       Another example (in the /etc/pam.d/passwd format) is for the case that
197       you want to use md5 password encryption:
198
199          #%PAM-1.0
200          #
201          # These lines allow a md5 systems to support passwords of at least 14
202          # bytes with extra credit of 2 for digits and 2 for others the new
203          # password must have at least three bytes that are not present in the
204          # old password
205          #
206          password  required pam_cracklib.so \
207                         difok=3 minlen=15 dcredit= 2 ocredit=2
208          password  required pam_unix.so use_authtok nullok md5
209
210
211
212       And here is another example in case you don't want to use credits:
213
214          #%PAM-1.0
215          #
216          # These lines require the user to select a password with a minimum
217          # length of 8 and with at least 1 digit number, 1 upper case letter,
218          # and 1 other character
219          #
220          password  required pam_cracklib.so \
221                         dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
222          password  required pam_unix.so use_authtok nullok md5
223
224
225

SEE ALSO

227       pam.conf(5), pam.d(8), pam(8)
228

AUTHOR

230       pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
231
232
233
234Linux-PAM Manual                  06/02/2006                   PAM_CRACKLIB(8)
Impressum