pam_authtok_check(5)

1pam_authtok_check(5)  Standards, Environments, and Macros pam_authtok_check(5)
2
3
4

NAME

6       pam_authtok_check - authentication and password management module
7

SYNOPSIS

9       pam_authtok_check.so.1
10
11

DESCRIPTION

13       pam_authtok_check  provides  functionality  to  the Password Management
14       stack. The implementation of pam_sm_chauthtok() performs  a  number  of
15       checks  on the construction of the newly entered password. pam_sm_chau‐
16       thtok() is invoked twice by the PAM framework, once with flags  set  to
17       PAM_PRELIM_CHECK,  and  once with flags set to PAM_UPDATE_AUTHTOK. This
18       module only performs its checks during the first invocation. This  mod‐
19       ule  expects  the  current  authentication  token in the PAM_OLDAUTHTOK
20       item, the new (to be checked) password in the PAM_AUTHTOK item, and the
21       login  name  in  the PAM_USER item. The checks performed by this module
22       are:
23
24       length              The password length should not  be  less  that  the
25                           minimum specified in /etc/default/passwd.
26
27
28       circular shift      The  password should not be a circular shift of the
29                           login  name.  This  check  may   be   disabled   in
30                           /etc/default/passwd.
31
32
33       complexity          The  password  should  contain at least the minimum
34                           number of characters described  by  the  parameters
35                           MINALPHA,  MINNONALPHA,  MINDIGIT,  and MINSPECIAL.
36                           Note that MINNONALPHA describes the same  character
37                           classes as MINDIGIT and MINSPECIAL combined; there‐
38                           fore the user cannot specify both  MINNONALPHA  and
39                           MINSPECIAL  (or  MINDIGIT).  The  user  must choose
40                           which of the two options to use.  Furthermore,  the
41                           WHITESPACE  parameter determines whether whitespace
42                           characters are allowed. If unspecified MINALPHA  is
43                           2, MINNONALPHA is 1 and WHITESPACE is yes
44
45
46       variation           The  old  and new passwords must differ by at least
47                           the MINDIFF value specified in /etc/default/passwd.
48                           If  unspecified,  the default is 3. For accounts in
49                           name services which support password history check‐
50                           ing,  if prior history is defined, the new password
51                           must not match the prior passwords.
52
53
54       dictionary check    The password must not  be  based  on  a  dictionary
55                           word.  The  list of words to be used for the site's
56                           dictionary can be specified  with  DICTIONLIST.  It
57                           should contain a comma-separated list of filenames,
58                           one word per line. The  database  that  is  created
59                           from  these  files is stored in the directory named
60                           by DICTIONDBDIR (defaults to /var/passwd). See mkp‐
61                           wdict(1M)  for  information  on  pre-generating the
62                           database. If neither DICTIONLIST  nor  DICTIONDBDIR
63                           is specified, no dictionary check is made.
64
65
66       upper/lower case    The  password  must contain at least the minimum of
67                           upper- and lower-case letters specified by the MIN‐
68                           UPPER  and  MINLOWER values in /etc/default/passwd.
69                           If unspecified, the defaults are 0.
70
71
72       maximum repeats     The password must not  contain  more  consecutively
73                           repeating  characters  than specified by the MAXRE‐
74                           PEATS value in /etc/default/passwd. If unspecified,
75                           no repeat character check is made.
76
77
78
79       The following option may be passed to the module:
80
81       force_check    If   the   PAM_NO_AUTHTOK_CHECK  flag  set,  force_check
82                      ignores this flag. The PAM_NO_AUTHTOK_CHECK flag can  be
83                      set to bypass password checks (see pam_chauthtok(3PAM)).
84
85
86       debug          syslog(3C) debugging information at the LOG_DEBUG level
87
88

RETURN VALUES

90       If  the  password  in  PAM_AUTHTOK  passes  all  tests,  PAM_SUCCESS is
91       returned. If any of the tests fail, PAM_AUTHTOK_ERR is returned.
92

FILES

94       /etc/default/passwd    See passwd(1) for a description of the contents.
95
96

ATTRIBUTES

98       See attributes(5) for descriptions of the following attributes:
99
100
101
102
103       ┌─────────────────────────────┬─────────────────────────────┐
104       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
105       ├─────────────────────────────┼─────────────────────────────┤
106       │Interface Stability          │Evolving                     │
107       ├─────────────────────────────┼─────────────────────────────┤
108       │MT Level                     │MT-Safe with exceptions      │
109       └─────────────────────────────┴─────────────────────────────┘
110

NOTES

119       The interfaces in libpam(3LIB) are MT-Safe only if each  thread  within
120       the multi-threaded application uses its own PAM handle.
121
122
123       The pam_unix(5) module is no longer supported. Similar functionality is
124       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
125       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
126       pam_unix_auth(5), and pam_unix_session(5).
127
128
129
130SunOS 5.11                        1 Mar 2005              pam_authtok_check(5)