diff options
Diffstat (limited to 'modules/pam_cracklib/pam_cracklib.8.xml')
| -rw-r--r-- | modules/pam_cracklib/pam_cracklib.8.xml | 513 |
1 files changed, 513 insertions, 0 deletions
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml new file mode 100644 index 00000000..589e7b44 --- /dev/null +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -0,0 +1,513 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_cracklib"> + + <refmeta> + <refentrytitle>pam_cracklib</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_cracklib-name"> + <refname>pam_cracklib</refname> + <refpurpose>PAM module to check the password against dictionary words</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_cracklib-cmdsynopsis"> + <command>pam_cracklib.so</command> + <arg choice="opt"> + <replaceable>...</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_cracklib-description"> + + <title>DESCRIPTION</title> + + <para> + This module can be plugged into the <emphasis>password</emphasis> stack of + a given application to provide some plug-in strength-checking for passwords. + </para> + + <para> + The action of this module is to prompt the user for a password and + check its strength against a system dictionary and a set of rules for + identifying poor choices. + </para> + + <para> + The first action is to prompt for a single password, check its + strength and then, if it is considered strong, prompt for the password + a second time (to verify that it was typed correctly on the first + occasion). All being well, the password is passed on to subsequent + modules to be installed as the new authentication token. + </para> + + <para> + The strength checks works in the following manner: at first the + <function>Cracklib</function> routine is called to check if the password + is part of a dictionary; if this is not the case an additional set of + strength checks is done. These checks are: + </para> + + <variablelist> + <varlistentry> + <term>Palindrome</term> + <listitem> + <para> + Is the new password a palindrome of the old one? + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Case Change Only</term> + <listitem> + <para> + Is the new password the the old one with only a change of case? + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Similar</term> + <listitem> + <para> + Is the new password too much like the old one? + This is primarily controlled by one argument, + <option>difok</option> which is a number of characters + that if different between the old and new are enough to accept + the new password, this defaults to 10 or 1/2 the size of the + new password whichever is smaller. + </para> + <para> + To avoid the lockup associated with trying to change a long and + complicated password, <option>difignore</option> is available. + This argument can be used to specify the minimum length a new + password needs to be before the <option>difok</option> value is + ignored. The default value for <option>difignore</option> is 23. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Simple</term> + <listitem> + <para> + Is the new password too small? + This is controlled by 5 arguments <option>minlen</option>, + <option>dcredit</option>, <option>ucredit</option>, + <option>lcredit</option>, and <option>ocredit</option>. See the section + on the arguments for the details of how these work and there defaults. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Rotated</term> + <listitem> + <para> + Is the new password a rotated version of the old password? + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>Already used</term> + <listitem> + <para> + Was the password used in the past? Previously used passwords + are to be found in <filename>/etc/security/opasswd</filename>. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + This module with no arguments will work well for standard unix + password encryption. With md5 encryption, passwords can be longer + than 8 characters and the default settings for this module can make it + hard for the user to choose a satisfactory new password. Notably, the + requirement that the new password contain no more than 1/2 of the + characters in the old password becomes a non-trivial constraint. For + example, an old password of the form "the quick brown fox jumped over + the lazy dogs" would be difficult to change... In addition, the + default action is to allow passwords as small as 5 characters in + length. For a md5 systems it can be a good idea to increase the + required minimum size of a password. One can then allow more credit + for different kinds of characters but accept that the new password may + share most of these characters with the old password. + </para> + + </refsect1> + + <refsect1 id="pam_cracklib-options"> + + <title>OPTIONS</title> + <para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + This option makes the module write information to + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + indicating the behavior of the module (this option does + not write password information to the log file). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>type=<replaceable>XXX</replaceable></option> + </term> + <listitem> + <para> + The default action is for the module to use the + following prompts when requesting passwords: + "New UNIX password: " and "Retype UNIX password: ". + The default word <emphasis>UNIX</emphasis> can + be replaced with this option. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>retry=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Prompt user at most <replaceable>N</replaceable> times + before returning with error. The default is + <emphasis>1</emphasis> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>difok=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + This argument will change the default of + <emphasis>5</emphasis> for the number of characters in + the new password that must not be present in the old + password. In addition, if 1/2 of the characters in the + new password are different then the new password will + be accepted anyway. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>difignore=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + How many characters should the password have before + difok will be ignored. The default is + <emphasis>23</emphasis>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>minlen=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + The minimum acceptable size for the new password (plus + one if credits are not disabled which is the default). + In addition to the number of characters in the new password, + credit (of +1 in length) is given for each different kind + of character (<emphasis>other</emphasis>, + <emphasis>upper</emphasis>, <emphasis>lower</emphasis> and + <emphasis>digit</emphasis>). The default for this parameter + is <emphasis>9</emphasis> which is good for a old style UNIX + password all of the same type of character but may be too low + to exploit the added security of a md5 system. Note that + there is a pair of length limits in + <emphasis>Cracklib</emphasis> itself, a "way too short" limit + of 4 which is hard coded in and a defined limit (6) that will + be checked without reference to <option>minlen</option>. + If you want to allow passwords as short as 5 characters you + should not use this module. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>dcredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having digits in + the new password. If you have less than or + <replaceable>N</replaceable> + digits, each digit will count +1 towards meeting the current + <option>minlen</option> value. The default for + <option>dcredit</option> is 1 which is the recommended + value for <option>minlen</option> less than 10. + </para> + <para> + (N < 0) This is the minimum number of digits that must + be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ucredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having upper + case letters in the new password. If you have less than + or <replaceable>N</replaceable> upper case letters each + letter will count +1 towards meeting the current + <option>minlen</option> value. The default for + <option>ucredit</option> is <emphasis>1</emphasis> which + is the recommended value for <option>minlen</option> less + than 10. + </para> + <para> + (N > 0) This is the minimum number of upper + case letters that must be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>lcredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having + lower case letters in the new password. If you have + less than or <replaceable>N</replaceable> lower case + letters, each letter will count +1 towards meeting the + current <option>minlen</option> value. The default for + <option>lcredit</option> is 1 which is the recommended + value for <option>minlen</option> less than 10. + </para> + <para> + (N < 0) This is the minimum number of lower + case letters that must be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>ocredit=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + (N >= 0) This is the maximum credit for having other + characters in the new password. If you have less than or + <replaceable>N</replaceable> other characters, each + character will count +1 towards meeting the current + <option>minlen</option> value. The default for + <option>ocredit</option> is 1 which is the recommended + value for <option>minlen</option> less than 10. + </para> + <para> + (N < 0) This is the minimum number of other + characters that must be met for a new password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>minclass=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + The minimum number of required classes of characters for + the new password. The default number is zero. The four + classes are digits, upper and lower letters and other + characters. + The difference to the <option>credit</option> check is + that a specific class if of characters is not required. + Instead <replaceable>N</replaceable> out of four of the + classes are required. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>use_authtok</option> + </term> + <listitem> + <para> + This argument is used to <emphasis>force</emphasis> the + module to not prompt the user for a new password but use + the one provided by the previously stacked + <emphasis>password</emphasis> module. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>dictpath=<replaceable>/path/to/dict</replaceable></option> + </term> + <listitem> + <para> + Path to the cracklib dictionaries. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id="pam_cracklib-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + Only he <option>password</option> service is supported. + </para> + </refsect1> + + <refsect1 id='pam_cracklib-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The new password passes all checks. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTHTOK_ERR</term> + <listitem> + <para> + No new password was entered, + the username could not be determined or the new + password fails the strength checks. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTHTOK_RECOVERY_ERR</term> + <listitem> + <para> + The old password was not supplied by a previous stacked + module or got not requested from the user. + The first error can happen if <option>use_authtok</option> + is specified. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + A internal error occured. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_cracklib-examples'> + <title>EXAMPLES</title> + <para> + For an example of the use of this module, we show how it may be + stacked with the password component of + <citerefentry> + <refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + <programlisting> +# +# These lines stack two password type modules. In this example the +# user is given 3 opportunities to enter a strong password. The +# "use_authtok" argument ensures that the pam_unix module does not +# prompt for a password, but instead uses the one provided by +# pam_cracklib. +# +passwd password required pam_cracklib.so retry=3 +passwd password required pam_unix.so use_authtok + </programlisting> + </para> + + <para> + Another example (in the <filename>/etc/pam.d/passwd</filename> format) + is for the case that you want to use md5 password encryption: + <programlisting> +#%PAM-1.0 +# +# These lines allow a md5 systems to support passwords of at least 14 +# bytes with extra credit of 2 for digits and 2 for others the new +# password must have at least three bytes that are not present in the +# old password +# +password required pam_cracklib.so \ + difok=3 minlen=15 dcredit= 2 ocredit=2 +password required pam_unix.so use_authtok nullok md5 + </programlisting> + </para> + + <para> + And here is another example in case you don't want to use credits: + <programlisting> +#%PAM-1.0 +# +# These lines require the user to select a password with a minimum +# length of 8 and with at least 1 digit number, 1 upper case letter, +# and 1 other character +# +password required pam_cracklib.so \ + dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 +password required pam_unix.so use_authtok nullok md5 + </programlisting> + </para> + + </refsect1> + + <refsect1 id='pam_cracklib-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_cracklib-author'> + <title>AUTHOR</title> + <para> + pam_cracklib was written by Cristian Gafton <gafton@redhat.com> + </para> + </refsect1> + +</refentry> |