diff options
Diffstat (limited to 'modules/pam_cracklib/README')
-rw-r--r-- | modules/pam_cracklib/README | 254 |
1 files changed, 254 insertions, 0 deletions
diff --git a/modules/pam_cracklib/README b/modules/pam_cracklib/README new file mode 100644 index 0000000..d074516 --- /dev/null +++ b/modules/pam_cracklib/README @@ -0,0 +1,254 @@ +pam_cracklib — PAM module to check the password against dictionary words + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +This module can be plugged into the password stack of a given application to +provide some plug-in strength-checking for passwords. + +The action of this module is to prompt the user for a password and check its +strength against a system dictionary and a set of rules for identifying poor +choices. + +The first action is to prompt for a single password, check its strength and +then, if it is considered strong, prompt for the password a second time (to +verify that it was typed correctly on the first occasion). All being well, the +password is passed on to subsequent modules to be installed as the new +authentication token. + +The strength checks works in the following manner: at first the Cracklib +routine is called to check if the password is part of a dictionary; if this is +not the case an additional set of strength checks is done. These checks are: + +Palindrome + + Is the new password a palindrome? + +Case Change Only + + Is the new password the old one with only a change of case? + +Similar + + Is the new password too much like the old one? This is primarily controlled + by one argument, difok which is a number of character changes (inserts, + removals, or replacements) between the old and new password that are enough + to accept the new password. This defaults to 5 changes. + +Simple + + Is the new password too small? This is controlled by 6 arguments minlen, + maxclassrepeat, dcredit, ucredit, lcredit, and ocredit. See the section on + the arguments for the details of how these work and there defaults. + +Rotated + + Is the new password a rotated version of the old password? + +Same consecutive characters + + Optional check for same consecutive characters. + +Too long monotonic character sequence + + Optional check for too long monotonic character sequence. + +Contains user name + + Optional check whether the password contains the user's name in some form. + +This module with no arguments will work well for standard unix password +encryption. With md5 encryption, passwords can be longer than 8 characters and +the default settings for this module can make it hard for the user to choose a +satisfactory new password. Notably, the requirement that the new password +contain no more than 1/2 of the characters in the old password becomes a +non-trivial constraint. For example, an old password of the form "the quick +brown fox jumped over the lazy dogs" would be difficult to change... In +addition, the default action is to allow passwords as small as 5 characters in +length. For a md5 systems it can be a good idea to increase the required +minimum size of a password. One can then allow more credit for different kinds +of characters but accept that the new password may share most of these +characters with the old password. + +OPTIONS + +debug + + This option makes the module write information to syslog(3) indicating the + behavior of the module (this option does not write password information to + the log file). + +authtok_type=XXX + + The default action is for the module to use the following prompts when + requesting passwords: "New UNIX password: " and "Retype UNIX password: ". + The example word UNIX can be replaced with this option, by default it is + empty. + +retry=N + + Prompt user at most N times before returning with error. The default is 1. + +difok=N + + This argument will change the default of 5 for the number of character + changes in the new password that differentiate it from the old password. + +minlen=N + + The minimum acceptable size for the new password (plus one if credits are + not disabled which is the default). In addition to the number of characters + in the new password, credit (of +1 in length) is given for each different + kind of character (other, upper, lower and digit). The default for this + parameter is 9 which is good for a old style UNIX password all of the same + type of character but may be too low to exploit the added security of a md5 + system. Note that there is a pair of length limits in Cracklib itself, a + "way too short" limit of 4 which is hard coded in and a defined limit (6) + that will be checked without reference to minlen. If you want to allow + passwords as short as 5 characters you should not use this module. + +dcredit=N + + (N >= 0) This is the maximum credit for having digits in the new password. + If you have less than or N digits, each digit will count +1 towards meeting + the current minlen value. The default for dcredit is 1 which is the + recommended value for minlen less than 10. + + (N < 0) This is the minimum number of digits that must be met for a new + password. + +ucredit=N + + (N >= 0) This is the maximum credit for having upper case letters in the + new password. If you have less than or N upper case letters each letter + will count +1 towards meeting the current minlen value. The default for + ucredit is 1 which is the recommended value for minlen less than 10. + + (N < 0) This is the minimum number of upper case letters that must be met + for a new password. + +lcredit=N + + (N >= 0) This is the maximum credit for having lower case letters in the + new password. If you have less than or N lower case letters, each letter + will count +1 towards meeting the current minlen value. The default for + lcredit is 1 which is the recommended value for minlen less than 10. + + (N < 0) This is the minimum number of lower case letters that must be met + for a new password. + +ocredit=N + + (N >= 0) This is the maximum credit for having other characters in the new + password. If you have less than or N other characters, each character will + count +1 towards meeting the current minlen value. The default for ocredit + is 1 which is the recommended value for minlen less than 10. + + (N < 0) This is the minimum number of other characters that must be met for + a new password. + +minclass=N + + The minimum number of required classes of characters for the new password. + The default number is zero. The four classes are digits, upper and lower + letters and other characters. The difference to the credit check is that a + specific class if of characters is not required. Instead N out of four of + the classes are required. + +maxrepeat=N + + Reject passwords which contain more than N same consecutive characters. The + default is 0 which means that this check is disabled. + +maxsequence=N + + Reject passwords which contain monotonic character sequences longer than N. + The default is 0 which means that this check is disabled. Examples of such + sequence are '12345' or 'fedcb'. Note that most such passwords will not + pass the simplicity check unless the sequence is only a minor part of the + password. + +maxclassrepeat=N + + Reject passwords which contain more than N consecutive characters of the + same class. The default is 0 which means that this check is disabled. + +reject_username + + Check whether the name of the user in straight or reversed form is + contained in the new password. If it is found the new password is rejected. + +gecoscheck + + Check whether the words from the GECOS field (usually full name of the + user) longer than 3 characters in straight or reversed form are contained + in the new password. If any such word is found the new password is + rejected. + +enforce_for_root + + The module will return error on failed check also if the user changing the + password is root. This option is off by default which means that just the + message about the failed check is printed but root can change the password + anyway. Note that root is not asked for an old password so the checks that + compare the old and new password are not performed. + +use_authtok + + This argument is used to force the module to not prompt the user for a new + password but use the one provided by the previously stacked password + module. + +dictpath=/path/to/dict + + Path to the cracklib dictionaries. + +EXAMPLES + +For an example of the use of this module, we show how it may be stacked with +the password component of pam_unix(8) + +# +# These lines stack two password type modules. In this example the +# user is given 3 opportunities to enter a strong password. The +# "use_authtok" argument ensures that the pam_unix module does not +# prompt for a password, but instead uses the one provided by +# pam_cracklib. +# +passwd password required pam_cracklib.so retry=3 +passwd password required pam_unix.so use_authtok + + +Another example (in the /etc/pam.d/passwd format) is for the case that you want +to use md5 password encryption: + +#%PAM-1.0 +# +# These lines allow a md5 systems to support passwords of at least 14 +# bytes with extra credit of 2 for digits and 2 for others the new +# password must have at least three bytes that are not present in the +# old password +# +password required pam_cracklib.so \ + difok=3 minlen=15 dcredit= 2 ocredit=2 +password required pam_unix.so use_authtok nullok md5 + + +And here is another example in case you don't want to use credits: + +#%PAM-1.0 +# +# These lines require the user to select a password with a minimum +# length of 8 and with at least 1 digit number, 1 upper case letter, +# and 1 other character +# +password required pam_cracklib.so \ + dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 +password required pam_unix.so use_authtok nullok md5 + + +AUTHOR + +pam_cracklib was written by Cristian Gafton <gafton@redhat.com> + |