diff options
Diffstat (limited to 'modules/pam_cracklib/pam_cracklib.8.xml')
-rw-r--r-- | modules/pam_cracklib/pam_cracklib.8.xml | 592 |
1 files changed, 592 insertions, 0 deletions
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml new file mode 100644 index 0000000..3f6e76f --- /dev/null +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -0,0 +1,592 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_cracklib"> + + <refmeta> + <refentrytitle>pam_cracklib</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_cracklib-name"> + <refname>pam_cracklib</refname> + <refpurpose>PAM module to check the password against dictionary words</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_cracklib-cmdsynopsis"> + <command>pam_cracklib.so</command> + <arg choice="opt"> + <replaceable>...</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_cracklib-description"> + + <title>DESCRIPTION</title> + + <para> + This module can be plugged into the <emphasis>password</emphasis> stack of + a given application to provide some plug-in strength-checking for passwords. + </para> + + <para> + The action of this module is to prompt the user for a password and + check its strength against a system dictionary and a set of rules for + identifying poor choices. + </para> + + <para> + The first action is to prompt for a single password, check its + strength and then, if it is considered strong, prompt for the password + a second time (to verify that it was typed correctly on the first + occasion). All being well, the password is passed on to subsequent + modules to be installed as the new authentication token. + </para> + + <para> + The strength checks works in the following manner: at first the + <function>Cracklib</function> routine is called to check if the password + is part of a dictionary; if this is not the case an additional set of + strength checks is done. These checks are: + </para> + + <variablelist> + <varlistentry> + <term>Palindrome</term> + <listitem> + <para> + Is the new password a palindrome? + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Case Change Only</term> + <listitem> + <para> + Is the new password the the old one with only a change of case? + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Similar</term> + <listitem> + <para> + Is the new password too much like the old one? + This is primarily controlled by one argument, + <option>difok</option> which is a number of character changes + (inserts, removals, or replacements) between the old and new + password that are enough to accept the new password. + This defaults to 5 changes. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Simple</term> + <listitem> + <para> + Is the new password too small? + This is controlled by 6 arguments <option>minlen</option>, + <option>maxclassrepeat</option>, + <option>dcredit</option>, <option>ucredit</option>, + <option>lcredit</option>, and <option>ocredit</option>. See the section + on the arguments for the details of how these work and there defaults. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Rotated</term> + <listitem> + <para> + Is the new password a rotated version of the old password? + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Same consecutive characters</term> + <listitem> + <para> + Optional check for same consecutive characters. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Too long monotonic character sequence</term> + <listitem> + <para> + Optional check for too long monotonic character sequence. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Contains user name</term> + <listitem> + <para> + Optional check whether the password contains the user's name + in some form. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + This module with no arguments will work well for standard unix + password encryption. With md5 encryption, passwords can be longer + than 8 characters and the default settings for this module can make it + hard for the user to choose a satisfactory new password. Notably, the + requirement that the new password contain no more than 1/2 of the + characters in the old password becomes a non-trivial constraint. For + example, an old password of the form "the quick brown fox jumped over + the lazy dogs" would be difficult to change... In addition, the + default action is to allow passwords as small as 5 characters in + length. For a md5 systems it can be a good idea to increase the + required minimum size of a password. One can then allow more credit + for different kinds of characters but accept that the new password may + share most of these characters with the old password. + </para> + + </refsect1> + + <refsect1 id="pam_cracklib-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + This option makes the module write information to + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + indicating the behavior of the module (this option does + not write password information to the log file). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>authtok_type=<replaceable>XXX</replaceable></option> + </term> + <listitem> + <para> + The default action is for the module to use the + following prompts when requesting passwords: + "New UNIX password: " and "Retype UNIX password: ". + The example word <emphasis>UNIX</emphasis> can + be replaced with this option, by default it is empty. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>retry=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Prompt user at most <replaceable>N</replaceable> times + before returning with error. The default is + <emphasis>1</emphasis>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>difok=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + This argument will change the default of + <emphasis>5</emphasis> for the number of character + changes in the new password that differentiate it + from the old password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>minlen=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + The minimum acceptable size for the new password (plus + one if credits are not disabled which is the default). + In addition to the number of characters in the new password, + credit (of +1 in length) is given for each different kind + of character (<emphasis>other</emphasis>, + <emphasis>upper</emphasis>, <emphasis>lower</emphasis> and + <emphasis>digit</emphasis>). The default for this parameter + is <emphasis>9</emphasis> which is good for a old style UNIX + password all of the same type of character but may be too low + to exploit the added security of a md5 system. Note that + there is a pair of length limits in + <emphasis>Cracklib</emphasis> itself, a "way too short" limit + of 4 which is hard coded in and a defined limit (6) that will + be checked without reference to <option>minlen</option>. + If you want to allow passwords as short as 5 characters you + should not use this module. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>dcredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having digits in + the new password. If you have less than or + <replaceable>N</replaceable> + digits, each digit will count +1 towards meeting the current + <option>minlen</option> value. The default for + <option>dcredit</option> is 1 which is the recommended + value for <option>minlen</option> less than 10. + </para> + <para> + (N < 0) This is the minimum number of digits that must + be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ucredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having upper + case letters in the new password. If you have less than + or <replaceable>N</replaceable> upper case letters each + letter will count +1 towards meeting the current + <option>minlen</option> value. The default for + <option>ucredit</option> is <emphasis>1</emphasis> which + is the recommended value for <option>minlen</option> less + than 10. + </para> + <para> + (N < 0) This is the minimum number of upper + case letters that must be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>lcredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having + lower case letters in the new password. If you have + less than or <replaceable>N</replaceable> lower case + letters, each letter will count +1 towards meeting the + current <option>minlen</option> value. The default for + <option>lcredit</option> is 1 which is the recommended + value for <option>minlen</option> less than 10. + </para> + <para> + (N < 0) This is the minimum number of lower + case letters that must be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ocredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having other + characters in the new password. If you have less than or + <replaceable>N</replaceable> other characters, each + character will count +1 towards meeting the current + <option>minlen</option> value. The default for + <option>ocredit</option> is 1 which is the recommended + value for <option>minlen</option> less than 10. + </para> + <para> + (N < 0) This is the minimum number of other + characters that must be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>minclass=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + The minimum number of required classes of characters for + the new password. The default number is zero. The four + classes are digits, upper and lower letters and other + characters. + The difference to the <option>credit</option> check is + that a specific class if of characters is not required. + Instead <replaceable>N</replaceable> out of four of the + classes are required. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>maxrepeat=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Reject passwords which contain more than N same consecutive + characters. The default is 0 which means that this check + is disabled. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>maxsequence=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Reject passwords which contain monotonic character sequences + longer than N. The default is 0 which means that this check + is disabled. Examples of such sequence are '12345' or 'fedcb'. + Note that most such passwords will not pass the simplicity + check unless the sequence is only a minor part of the password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>maxclassrepeat=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Reject passwords which contain more than N consecutive + characters of the same class. The default is 0 which means + that this check is disabled. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>reject_username</option> + </term> + <listitem> + <para> + Check whether the name of the user in straight or reversed + form is contained in the new password. If it is found the + new password is rejected. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>gecoscheck</option> + </term> + <listitem> + <para> + Check whether the words from the GECOS field (usualy full name + of the user) longer than 3 characters in straight or reversed + form are contained in the new password. If any such word is + found the new password is rejected. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>enforce_for_root</option> + </term> + <listitem> + <para> + The module will return error on failed check also if the user + changing the password is root. This option is off by default + which means that just the message about the failed check is + printed but root can change the password anyway. + Note that root is not asked for an old password so the checks + that compare the old and new password are not performed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>use_authtok</option> + </term> + <listitem> + <para> + This argument is used to <emphasis>force</emphasis> the + module to not prompt the user for a new password but use + the one provided by the previously stacked + <emphasis>password</emphasis> module. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>dictpath=<replaceable>/path/to/dict</replaceable></option> + </term> + <listitem> + <para> + Path to the cracklib dictionaries. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id="pam_cracklib-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + Only the <option>password</option> module type is provided. + </para> + </refsect1> + + <refsect1 id='pam_cracklib-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The new password passes all checks. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTHTOK_ERR</term> + <listitem> + <para> + No new password was entered, + the username could not be determined or the new + password fails the strength checks. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTHTOK_RECOVERY_ERR</term> + <listitem> + <para> + The old password was not supplied by a previous stacked + module or got not requested from the user. + The first error can happen if <option>use_authtok</option> + is specified. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + A internal error occurred. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_cracklib-examples'> + <title>EXAMPLES</title> + <para> + For an example of the use of this module, we show how it may be + stacked with the password component of + <citerefentry> + <refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + <programlisting> +# +# These lines stack two password type modules. In this example the +# user is given 3 opportunities to enter a strong password. The +# "use_authtok" argument ensures that the pam_unix module does not +# prompt for a password, but instead uses the one provided by +# pam_cracklib. +# +passwd password required pam_cracklib.so retry=3 +passwd password required pam_unix.so use_authtok + </programlisting> + </para> + + <para> + Another example (in the <filename>/etc/pam.d/passwd</filename> format) + is for the case that you want to use md5 password encryption: + <programlisting> +#%PAM-1.0 +# +# These lines allow a md5 systems to support passwords of at least 14 +# bytes with extra credit of 2 for digits and 2 for others the new +# password must have at least three bytes that are not present in the +# old password +# +password required pam_cracklib.so \ + difok=3 minlen=15 dcredit= 2 ocredit=2 +password required pam_unix.so use_authtok nullok md5 + </programlisting> + </para> + + <para> + And here is another example in case you don't want to use credits: + <programlisting> +#%PAM-1.0 +# +# These lines require the user to select a password with a minimum +# length of 8 and with at least 1 digit number, 1 upper case letter, +# and 1 other character +# +password required pam_cracklib.so \ + dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 +password required pam_unix.so use_authtok nullok md5 + </programlisting> + </para> + + </refsect1> + + <refsect1 id='pam_cracklib-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_cracklib-author'> + <title>AUTHOR</title> + <para> + pam_cracklib was written by Cristian Gafton <gafton@redhat.com> + </para> + </refsect1> + +</refentry> |