From de848d9e9146434817c65d74d1d0313e9d729462 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 14:01:37 +0200 Subject: Adding upstream version 1.4.0. Signed-off-by: Daniel Baumann --- modules/pam_cracklib/pam_cracklib.8.xml | 592 ++++++++++++++++++++++++++++++++ 1 file changed, 592 insertions(+) create mode 100644 modules/pam_cracklib/pam_cracklib.8.xml (limited to 'modules/pam_cracklib/pam_cracklib.8.xml') diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml new file mode 100644 index 0000000..75e44e2 --- /dev/null +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -0,0 +1,592 @@ + + + + + + + pam_cracklib + 8 + Linux-PAM Manual + + + + pam_cracklib + PAM module to check the password against dictionary words + + + + + pam_cracklib.so + + ... + + + + + + + DESCRIPTION + + + This module can be plugged into the password stack of + a given application to provide some plug-in strength-checking for passwords. + + + + The action of this module is to prompt the user for a password and + check its strength against a system dictionary and a set of rules for + identifying poor choices. + + + + The first action is to prompt for a single password, check its + strength and then, if it is considered strong, prompt for the password + a second time (to verify that it was typed correctly on the first + occasion). All being well, the password is passed on to subsequent + modules to be installed as the new authentication token. + + + + The strength checks works in the following manner: at first the + Cracklib routine is called to check if the password + is part of a dictionary; if this is not the case an additional set of + strength checks is done. These checks are: + + + + + Palindrome + + + Is the new password a palindrome? + + + + + Case Change Only + + + Is the new password the old one with only a change of case? + + + + + Similar + + + Is the new password too much like the old one? + This is primarily controlled by one argument, + which is a number of character changes + (inserts, removals, or replacements) between the old and new + password that are enough to accept the new password. + This defaults to 5 changes. + + + + + Simple + + + Is the new password too small? + This is controlled by 6 arguments , + , + , , + , and . See the section + on the arguments for the details of how these work and there defaults. + + + + + Rotated + + + Is the new password a rotated version of the old password? + + + + + Same consecutive characters + + + Optional check for same consecutive characters. + + + + + Too long monotonic character sequence + + + Optional check for too long monotonic character sequence. + + + + + Contains user name + + + Optional check whether the password contains the user's name + in some form. + + + + + + This module with no arguments will work well for standard unix + password encryption. With md5 encryption, passwords can be longer + than 8 characters and the default settings for this module can make it + hard for the user to choose a satisfactory new password. Notably, the + requirement that the new password contain no more than 1/2 of the + characters in the old password becomes a non-trivial constraint. For + example, an old password of the form "the quick brown fox jumped over + the lazy dogs" would be difficult to change... In addition, the + default action is to allow passwords as small as 5 characters in + length. For a md5 systems it can be a good idea to increase the + required minimum size of a password. One can then allow more credit + for different kinds of characters but accept that the new password may + share most of these characters with the old password. + + + + + + + OPTIONS + + + + + + + + + + This option makes the module write information to + + syslog3 + + indicating the behavior of the module (this option does + not write password information to the log file). + + + + + + + + + + + The default action is for the module to use the + following prompts when requesting passwords: + "New UNIX password: " and "Retype UNIX password: ". + The example word UNIX can + be replaced with this option, by default it is empty. + + + + + + + + + + + Prompt user at most N times + before returning with error. The default is + 1. + + + + + + + + + + + This argument will change the default of + 5 for the number of character + changes in the new password that differentiate it + from the old password. + + + + + + + + + + + The minimum acceptable size for the new password (plus + one if credits are not disabled which is the default). + In addition to the number of characters in the new password, + credit (of +1 in length) is given for each different kind + of character (other, + upper, lower and + digit). The default for this parameter + is 9 which is good for a old style UNIX + password all of the same type of character but may be too low + to exploit the added security of a md5 system. Note that + there is a pair of length limits in + Cracklib itself, a "way too short" limit + of 4 which is hard coded in and a defined limit (6) that will + be checked without reference to . + If you want to allow passwords as short as 5 characters you + should not use this module. + + + + + + + + + + + (N >= 0) This is the maximum credit for having digits in + the new password. If you have less than or + N + digits, each digit will count +1 towards meeting the current + value. The default for + is 1 which is the recommended + value for less than 10. + + + (N < 0) This is the minimum number of digits that must + be met for a new password. + + + + + + + + + + + (N >= 0) This is the maximum credit for having upper + case letters in the new password. If you have less than + or N upper case letters each + letter will count +1 towards meeting the current + value. The default for + is 1 which + is the recommended value for less + than 10. + + + (N < 0) This is the minimum number of upper + case letters that must be met for a new password. + + + + + + + + + + + (N >= 0) This is the maximum credit for having + lower case letters in the new password. If you have + less than or N lower case + letters, each letter will count +1 towards meeting the + current value. The default for + is 1 which is the recommended + value for less than 10. + + + (N < 0) This is the minimum number of lower + case letters that must be met for a new password. + + + + + + + + + + + (N >= 0) This is the maximum credit for having other + characters in the new password. If you have less than or + N other characters, each + character will count +1 towards meeting the current + value. The default for + is 1 which is the recommended + value for less than 10. + + + (N < 0) This is the minimum number of other + characters that must be met for a new password. + + + + + + + + + + + The minimum number of required classes of characters for + the new password. The default number is zero. The four + classes are digits, upper and lower letters and other + characters. + The difference to the check is + that a specific class if of characters is not required. + Instead N out of four of the + classes are required. + + + + + + + + + + + Reject passwords which contain more than N same consecutive + characters. The default is 0 which means that this check + is disabled. + + + + + + + + + + + Reject passwords which contain monotonic character sequences + longer than N. The default is 0 which means that this check + is disabled. Examples of such sequence are '12345' or 'fedcb'. + Note that most such passwords will not pass the simplicity + check unless the sequence is only a minor part of the password. + + + + + + + + + + + Reject passwords which contain more than N consecutive + characters of the same class. The default is 0 which means + that this check is disabled. + + + + + + + + + + + Check whether the name of the user in straight or reversed + form is contained in the new password. If it is found the + new password is rejected. + + + + + + + + + + + Check whether the words from the GECOS field (usually full name + of the user) longer than 3 characters in straight or reversed + form are contained in the new password. If any such word is + found the new password is rejected. + + + + + + + + + + + The module will return error on failed check also if the user + changing the password is root. This option is off by default + which means that just the message about the failed check is + printed but root can change the password anyway. + Note that root is not asked for an old password so the checks + that compare the old and new password are not performed. + + + + + + + + + + + This argument is used to force the + module to not prompt the user for a new password but use + the one provided by the previously stacked + password module. + + + + + + + + + + + Path to the cracklib dictionaries. + + + + + + + + + + MODULE TYPES PROVIDED + + Only the module type is provided. + + + + + RETURN VALUES + + + + + PAM_SUCCESS + + + The new password passes all checks. + + + + + + PAM_AUTHTOK_ERR + + + No new password was entered, + the username could not be determined or the new + password fails the strength checks. + + + + + + PAM_AUTHTOK_RECOVERY_ERR + + + The old password was not supplied by a previous stacked + module or got not requested from the user. + The first error can happen if + is specified. + + + + + + PAM_SERVICE_ERR + + + A internal error occurred. + + + + + + + + + + EXAMPLES + + For an example of the use of this module, we show how it may be + stacked with the password component of + + pam_unix8 + + +# +# These lines stack two password type modules. In this example the +# user is given 3 opportunities to enter a strong password. The +# "use_authtok" argument ensures that the pam_unix module does not +# prompt for a password, but instead uses the one provided by +# pam_cracklib. +# +passwd password required pam_cracklib.so retry=3 +passwd password required pam_unix.so use_authtok + + + + + Another example (in the /etc/pam.d/passwd format) + is for the case that you want to use md5 password encryption: + +#%PAM-1.0 +# +# These lines allow a md5 systems to support passwords of at least 14 +# bytes with extra credit of 2 for digits and 2 for others the new +# password must have at least three bytes that are not present in the +# old password +# +password required pam_cracklib.so \ + difok=3 minlen=15 dcredit= 2 ocredit=2 +password required pam_unix.so use_authtok nullok md5 + + + + + And here is another example in case you don't want to use credits: + +#%PAM-1.0 +# +# These lines require the user to select a password with a minimum +# length of 8 and with at least 1 digit number, 1 upper case letter, +# and 1 other character +# +password required pam_cracklib.so \ + dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 +password required pam_unix.so use_authtok nullok md5 + + + + + + + SEE ALSO + + + pam.conf5 + , + + pam.d5 + , + + pam8 + + + + + + AUTHOR + + pam_cracklib was written by Cristian Gafton <gafton@redhat.com> + + + + -- cgit v1.2.3