diff options
Diffstat (limited to 'modules/pam_cracklib/pam_cracklib.8.xml')
| -rw-r--r-- | modules/pam_cracklib/pam_cracklib.8.xml | 592 |
1 files changed, 0 insertions, 592 deletions
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml deleted file mode 100644 index 75e44e2d..00000000 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ /dev/null @@ -1,592 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_cracklib"> - - <refmeta> - <refentrytitle>pam_cracklib</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_cracklib-name"> - <refname>pam_cracklib</refname> - <refpurpose>PAM module to check the password against dictionary words</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis id="pam_cracklib-cmdsynopsis"> - <command>pam_cracklib.so</command> - <arg choice="opt"> - <replaceable>...</replaceable> - </arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1 id="pam_cracklib-description"> - - <title>DESCRIPTION</title> - - <para> - This module can be plugged into the <emphasis>password</emphasis> stack of - a given application to provide some plug-in strength-checking for passwords. - </para> - - <para> - The action of this module is to prompt the user for a password and - check its strength against a system dictionary and a set of rules for - identifying poor choices. - </para> - - <para> - The first action is to prompt for a single password, check its - strength and then, if it is considered strong, prompt for the password - a second time (to verify that it was typed correctly on the first - occasion). All being well, the password is passed on to subsequent - modules to be installed as the new authentication token. - </para> - - <para> - The strength checks works in the following manner: at first the - <function>Cracklib</function> routine is called to check if the password - is part of a dictionary; if this is not the case an additional set of - strength checks is done. These checks are: - </para> - - <variablelist> - <varlistentry> - <term>Palindrome</term> - <listitem> - <para> - Is the new password a palindrome? - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Case Change Only</term> - <listitem> - <para> - Is the new password the old one with only a change of case? - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Similar</term> - <listitem> - <para> - Is the new password too much like the old one? - This is primarily controlled by one argument, - <option>difok</option> which is a number of character changes - (inserts, removals, or replacements) between the old and new - password that are enough to accept the new password. - This defaults to 5 changes. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Simple</term> - <listitem> - <para> - Is the new password too small? - This is controlled by 6 arguments <option>minlen</option>, - <option>maxclassrepeat</option>, - <option>dcredit</option>, <option>ucredit</option>, - <option>lcredit</option>, and <option>ocredit</option>. See the section - on the arguments for the details of how these work and there defaults. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Rotated</term> - <listitem> - <para> - Is the new password a rotated version of the old password? - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Same consecutive characters</term> - <listitem> - <para> - Optional check for same consecutive characters. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Too long monotonic character sequence</term> - <listitem> - <para> - Optional check for too long monotonic character sequence. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Contains user name</term> - <listitem> - <para> - Optional check whether the password contains the user's name - in some form. - </para> - </listitem> - </varlistentry> - </variablelist> - <para> - This module with no arguments will work well for standard unix - password encryption. With md5 encryption, passwords can be longer - than 8 characters and the default settings for this module can make it - hard for the user to choose a satisfactory new password. Notably, the - requirement that the new password contain no more than 1/2 of the - characters in the old password becomes a non-trivial constraint. For - example, an old password of the form "the quick brown fox jumped over - the lazy dogs" would be difficult to change... In addition, the - default action is to allow passwords as small as 5 characters in - length. For a md5 systems it can be a good idea to increase the - required minimum size of a password. One can then allow more credit - for different kinds of characters but accept that the new password may - share most of these characters with the old password. - </para> - - </refsect1> - - <refsect1 id="pam_cracklib-options"> - - <title>OPTIONS</title> - <para> - <variablelist> - - <varlistentry> - <term> - <option>debug</option> - </term> - <listitem> - <para> - This option makes the module write information to - <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - indicating the behavior of the module (this option does - not write password information to the log file). - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>authtok_type=<replaceable>XXX</replaceable></option> - </term> - <listitem> - <para> - The default action is for the module to use the - following prompts when requesting passwords: - "New UNIX password: " and "Retype UNIX password: ". - The example word <emphasis>UNIX</emphasis> can - be replaced with this option, by default it is empty. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>retry=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - Prompt user at most <replaceable>N</replaceable> times - before returning with error. The default is - <emphasis>1</emphasis>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>difok=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - This argument will change the default of - <emphasis>5</emphasis> for the number of character - changes in the new password that differentiate it - from the old password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>minlen=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - The minimum acceptable size for the new password (plus - one if credits are not disabled which is the default). - In addition to the number of characters in the new password, - credit (of +1 in length) is given for each different kind - of character (<emphasis>other</emphasis>, - <emphasis>upper</emphasis>, <emphasis>lower</emphasis> and - <emphasis>digit</emphasis>). The default for this parameter - is <emphasis>9</emphasis> which is good for a old style UNIX - password all of the same type of character but may be too low - to exploit the added security of a md5 system. Note that - there is a pair of length limits in - <emphasis>Cracklib</emphasis> itself, a "way too short" limit - of 4 which is hard coded in and a defined limit (6) that will - be checked without reference to <option>minlen</option>. - If you want to allow passwords as short as 5 characters you - should not use this module. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>dcredit=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - (N >= 0) This is the maximum credit for having digits in - the new password. If you have less than or - <replaceable>N</replaceable> - digits, each digit will count +1 towards meeting the current - <option>minlen</option> value. The default for - <option>dcredit</option> is 1 which is the recommended - value for <option>minlen</option> less than 10. - </para> - <para> - (N < 0) This is the minimum number of digits that must - be met for a new password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>ucredit=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - (N >= 0) This is the maximum credit for having upper - case letters in the new password. If you have less than - or <replaceable>N</replaceable> upper case letters each - letter will count +1 towards meeting the current - <option>minlen</option> value. The default for - <option>ucredit</option> is <emphasis>1</emphasis> which - is the recommended value for <option>minlen</option> less - than 10. - </para> - <para> - (N < 0) This is the minimum number of upper - case letters that must be met for a new password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>lcredit=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - (N >= 0) This is the maximum credit for having - lower case letters in the new password. If you have - less than or <replaceable>N</replaceable> lower case - letters, each letter will count +1 towards meeting the - current <option>minlen</option> value. The default for - <option>lcredit</option> is 1 which is the recommended - value for <option>minlen</option> less than 10. - </para> - <para> - (N < 0) This is the minimum number of lower - case letters that must be met for a new password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>ocredit=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - (N >= 0) This is the maximum credit for having other - characters in the new password. If you have less than or - <replaceable>N</replaceable> other characters, each - character will count +1 towards meeting the current - <option>minlen</option> value. The default for - <option>ocredit</option> is 1 which is the recommended - value for <option>minlen</option> less than 10. - </para> - <para> - (N < 0) This is the minimum number of other - characters that must be met for a new password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>minclass=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - The minimum number of required classes of characters for - the new password. The default number is zero. The four - classes are digits, upper and lower letters and other - characters. - The difference to the <option>credit</option> check is - that a specific class if of characters is not required. - Instead <replaceable>N</replaceable> out of four of the - classes are required. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>maxrepeat=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - Reject passwords which contain more than N same consecutive - characters. The default is 0 which means that this check - is disabled. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>maxsequence=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - Reject passwords which contain monotonic character sequences - longer than N. The default is 0 which means that this check - is disabled. Examples of such sequence are '12345' or 'fedcb'. - Note that most such passwords will not pass the simplicity - check unless the sequence is only a minor part of the password. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>maxclassrepeat=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - Reject passwords which contain more than N consecutive - characters of the same class. The default is 0 which means - that this check is disabled. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>reject_username</option> - </term> - <listitem> - <para> - Check whether the name of the user in straight or reversed - form is contained in the new password. If it is found the - new password is rejected. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>gecoscheck</option> - </term> - <listitem> - <para> - Check whether the words from the GECOS field (usually full name - of the user) longer than 3 characters in straight or reversed - form are contained in the new password. If any such word is - found the new password is rejected. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>enforce_for_root</option> - </term> - <listitem> - <para> - The module will return error on failed check also if the user - changing the password is root. This option is off by default - which means that just the message about the failed check is - printed but root can change the password anyway. - Note that root is not asked for an old password so the checks - that compare the old and new password are not performed. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>use_authtok</option> - </term> - <listitem> - <para> - This argument is used to <emphasis>force</emphasis> the - module to not prompt the user for a new password but use - the one provided by the previously stacked - <emphasis>password</emphasis> module. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>dictpath=<replaceable>/path/to/dict</replaceable></option> - </term> - <listitem> - <para> - Path to the cracklib dictionaries. - </para> - </listitem> - </varlistentry> - - </variablelist> - </para> - </refsect1> - - <refsect1 id="pam_cracklib-types"> - <title>MODULE TYPES PROVIDED</title> - <para> - Only the <option>password</option> module type is provided. - </para> - </refsect1> - - <refsect1 id='pam_cracklib-return_values'> - <title>RETURN VALUES</title> - <para> - <variablelist> - - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The new password passes all checks. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_AUTHTOK_ERR</term> - <listitem> - <para> - No new password was entered, - the username could not be determined or the new - password fails the strength checks. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_AUTHTOK_RECOVERY_ERR</term> - <listitem> - <para> - The old password was not supplied by a previous stacked - module or got not requested from the user. - The first error can happen if <option>use_authtok</option> - is specified. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_SERVICE_ERR</term> - <listitem> - <para> - A internal error occurred. - </para> - </listitem> - </varlistentry> - - </variablelist> - </para> - </refsect1> - - <refsect1 id='pam_cracklib-examples'> - <title>EXAMPLES</title> - <para> - For an example of the use of this module, we show how it may be - stacked with the password component of - <citerefentry> - <refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - <programlisting> -# -# These lines stack two password type modules. In this example the -# user is given 3 opportunities to enter a strong password. The -# "use_authtok" argument ensures that the pam_unix module does not -# prompt for a password, but instead uses the one provided by -# pam_cracklib. -# -passwd password required pam_cracklib.so retry=3 -passwd password required pam_unix.so use_authtok - </programlisting> - </para> - - <para> - Another example (in the <filename>/etc/pam.d/passwd</filename> format) - is for the case that you want to use md5 password encryption: - <programlisting> -#%PAM-1.0 -# -# These lines allow a md5 systems to support passwords of at least 14 -# bytes with extra credit of 2 for digits and 2 for others the new -# password must have at least three bytes that are not present in the -# old password -# -password required pam_cracklib.so \ - difok=3 minlen=15 dcredit= 2 ocredit=2 -password required pam_unix.so use_authtok nullok md5 - </programlisting> - </para> - - <para> - And here is another example in case you don't want to use credits: - <programlisting> -#%PAM-1.0 -# -# These lines require the user to select a password with a minimum -# length of 8 and with at least 1 digit number, 1 upper case letter, -# and 1 other character -# -password required pam_cracklib.so \ - dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 -password required pam_unix.so use_authtok nullok md5 - </programlisting> - </para> - - </refsect1> - - <refsect1 id='pam_cracklib-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_cracklib-author'> - <title>AUTHOR</title> - <para> - pam_cracklib was written by Cristian Gafton <gafton@redhat.com> - </para> - </refsect1> - -</refentry> |