From 8fa87c2931a1f25e4d2a851385b18759f7e6fde9 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 7 Feb 2006 07:51:13 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------

2006-02-07  Thorsten Kukuk  <kukuk@thkukuk.de>

        * configure.in: Check for text browser.
        * Make.xml.rules: Add rule to generate README from README.xml.

        * modules/pam_access/Makefile.am: Include Make.xml.rules.
        * modules/pam_access/README: Regenerated from README.xml.
        * modules/pam_access/README.xml: New.
        * modules/pam_access/access.conf: Extended by new examples.
        * modules/pam_access/access.conf.5: New, generated from xml file.
        * modules/pam_access/access.conf.5.xml: New.
        * modules/pam_access/pam_access.8: New, generated from xml file.
        * modules/pam_access/pam_access.8.xml: New.
        * modules/pam_access/pam_access.c: Add rules for IPv6 and
        netmasks.
        Based on patch from Mike Becher <Mike.Becher@lrz-muenchen.de>.

        * modules/pam_deny/Makefile.am: Include Make.xml.rules.
        * modules/pam_deny/pam_deny.8.xml: New.
        * modules/pam_deny/pam_deny.8: New, generated from xml file.
        * modules/pam_deny/README.xml: New.
        * modules/pam_deny/README: Regenerated from xml file.

        * modules/pam_cracklib/Makefile.am: Include Make.xml.rules.
        * modules/pam_cracklib/pam_cracklib.8.xml: New.
        * modules/pam_cracklib/pam_cracklib.8: New, generated from xml file.
        * modules/pam_cracklib/README.xml: New.
        * modules/pam_cracklib/README: Regenerated from xml file.

        * modules/pam_exec/Makefile.am: Add rule to generate README.
        * modules/pam_exec/README: Regenerated from xml file.
        * modules/pam_exec/pam_exec.8: Regenerated from xml file.
        * modules/pam_exec/pam_exec.8.xml: Syntax files.
---
 modules/pam_cracklib/README | 226 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 199 insertions(+), 27 deletions(-)

(limited to 'modules/pam_cracklib/README')

diff --git a/modules/pam_cracklib/README b/modules/pam_cracklib/README
index eea980eb..756b7f48 100644
--- a/modules/pam_cracklib/README
+++ b/modules/pam_cracklib/README
@@ -1,40 +1,212 @@
+pam_cracklib — PAM module to check the password against dictionary words
 
-pam_cracklib:
-	check the passwd against dictionary words.
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
-RECOGNIZED ARGUMENTS:
-	debug		verbose log
+DESCRIPTION
 
-	type=XXX	alter the message printed as a prompt to the user.
-			the message printed is in the form
-			"New XXX password: ".
-			Default XXX=UNIX
+This module can be plugged into the password stack of a given application to
+provide some plug-in strength-checking for passwords.
 
-	retry=N		Prompt user at most N times before returning with
-			error. Default N=1.
+The action of this module is to prompt the user for a password and check its
+strength against a system dictionary and a set of rules for identifying poor
+choices.
 
-	difok=N         How many characters can be the same in the new
-			password relative to the old
-	difignore=N	How many characters long should the password be
-			before we ignore difok.
+The first action is to prompt for a single password, check its strength and
+then, if it is considered strong, prompt for the password a second time (to
+verify that it was typed correctly on the first occasion). All being well, the
+password is passed on to subsequent modules to be installed as the new
+authentication token.
 
-	minlen=N	The minimum simplicity count for a good password.
+The strength checks works in the following manner: at first the Cracklib
+routine is called to check if the password is part of a dictionary; if this is
+not the case an additional set of strength checks is done. These checks are:
 
-	dcredit=N
-	ucredit=N
-	lcredit=N
-	ocredit=N 	Weight, digits, upper, lower, other characters with
-			count N. Use these values to compute the
-			'unsimplicity' of the password.
+Palindrome
 
-	use_authtok	Get the proposed password from PAM_AUTHTOK
+    Is the new password a palindrome of the old one?
 
-	dictpath=<path> Path to the cracklib dictionaries.
+Case Change Only
 
+    Is the new password the the old one with only a change of case?
 
-MODULE SERVICES PROVIDED:
-	passwd		chauthtok
+Similar
 
-AUTHOR:
-	Cristian Gafton <gafton@redhat.com>
+    Is the new password too much like the old one? This is primarily controlled
+    by one argument, difok which is a number of characters that if different
+    between the old and new are enough to accept the new password, this
+    defaults to 10 or 1/2 the size of the new password whichever is smaller.
+
+    To avoid the lockup associated with trying to change a long and complicated
+    password, difignore is available. This argument can be used to specify the
+    minimum length a new password needs to be before the difok value is
+    ignored. The default value for difignore is 23.
+
+Simple
+
+    Is the new password too small? This is controlled by 5 arguments minlen,
+    dcredit, ucredit, lcredit, and ocredit. See the section on the arguments
+    for the details of how these work and there defaults.
+
+Rotated
+
+    Is the new password a rotated version of the old password?
+
+Already used
+
+    Was the password used in the past? Previously used passwords are to be
+    found in /etc/security/opasswd.
+
+This module with no arguments will work well for standard unix password
+encryption. With md5 encryption, passwords can be longer than 8 characters and
+the default settings for this module can make it hard for the user to choose a
+satisfactory new password. Notably, the requirement that the new password
+contain no more than 1/2 of the characters in the old password becomes a
+non-trivial constraint. For example, an old password of the form "the quick
+brown fox jumped over the lazy dogs" would be difficult to change... In
+addition, the default action is to allow passwords as small as 5 characters in
+length. For a md5 systems it can be a good idea to increase the required
+minimum size of a password. One can then allow more credit for different kinds
+of characters but accept that the new password may share most of these
+characters with the old password.
+
+OPTIONS
+
+debug
+
+    This option makes the module write information to syslog(3) indicating the
+    behavior of the module (this option does not write password information to
+    the log file).
+
+type=XXX
+
+    The default action is for the module to use the following prompts when
+    requesting passwords: "New UNIX password: " and "Retype UNIX password: ".
+    The default word UNIX can be replaced with this option.
+
+retry=N
+
+    Prompt user at most N times before returning with error. The default is 1
+
+difok=N
+
+    This argument will change the default of 5 for the number of characters in
+    the new password that must not be present in the old password. In addition,
+    if 1/2 of the characters in the new password are different then the new
+    password will be accepted anyway.
+
+difignore=N
+
+    How many characters should the password have before difok will be ignored.
+    The default is 23.
+
+minlen=N
+
+    The minimum acceptable size for the new password (plus one if credits are
+    not disabled which is the default). In addition to the number of characters
+    in the new password, credit (of +1 in length) is given for each different
+    kind of character (other, upper, lower and digit). The default for this
+    parameter is 9 which is good for a old style UNIX password all of the same
+    type of character but may be too low to exploit the added security of a md5
+    system. Note that there is a pair of length limits in Cracklib itself, a
+    "way too short" limit of 4 which is hard coded in and a defined limit (6)
+    that will be checked without reference to minlen. If you want to allow
+    passwords as short as 5 characters you should not use this module.
+
+dcredit=N
+
+    (N >= 0) This is the maximum credit for having digits in the new password.
+    If you have less than or N digits, each digit will count +1 towards meeting
+    the current minlen value. The default for dcredit is 1 which is the
+    recommended value for minlen less than 10.
+
+    (N < 0) This is the minimum number of digits that must be met for a new
+    password.
+
+ucredit=N
+
+    (N >= 0) This is the maximum credit for having upper case letters in the
+    new password. If you have less than or N upper case letters each letter
+    will count +1 towards meeting the current minlen value. The default for
+    ucredit is 1 which is the recommended value for minlen less than 10.
+
+    (N > 0) This is the minimum number of upper case letters that must be met
+    for a new password.
+
+lcredit=N
+
+    (N >= 0) This is the maximum credit for having lower case letters in the
+    new password. If you have less than or N lower case letters, each letter
+    will count +1 towards meeting the current minlen value. The default for
+    lcredit is 1 which is the recommended value for minlen less than 10.
+
+    (N < 0) This is the minimum number of lower case letters that must be met
+    for a new password.
+
+ocredit=N
+
+    (N >= 0) This is the maximum credit for having other characters in the new
+    password. If you have less than or N other characters, each character will
+    count +1 towards meeting the current minlen value. The default for ocredit
+    is 1 which is the recommended value for minlen less than 10.
+
+    (N < 0) This is the minimum number of other characters that must be met for
+    a new password.
+
+use_authtok
+
+    This argument is used to force the module to not prompt the user for a new
+    password but use the one provided by the previously stacked password
+    module.
+
+dictpath=/path/to/dict
+
+    Path to the cracklib dictionaries.
+
+EXAMPLES
+
+For an example of the use of this module, we show how it may be stacked with
+the password component of pam_unix(8)
+
+#
+# These lines stack two password type modules. In this example the
+# user is given 3 opportunities to enter a strong password. The
+# "use_authtok" argument ensures that the pam_unix module does not
+# prompt for a password, but instead uses the one provided by
+# pam_cracklib.
+#
+passwd  password required       pam_cracklib.so retry=3
+passwd  password required       pam_unix.so use_authtok
+
+
+Another example (in the /etc/pam.d/passwd format) is for the case that you want
+to use md5 password encryption:
+
+#%PAM-1.0
+#
+# These lines allow a md5 systems to support passwords of at least 14
+# bytes with extra credit of 2 for digits and 2 for others the new
+# password must have at least three bytes that are not present in the
+# old password
+#
+password  required pam_cracklib.so \
+               difok=3 minlen=15 dcredit= 2 ocredit=2
+password  required pam_unix.so use_authtok nullok md5
+
+
+And here is another example in case you don't want to use credits:
+
+#%PAM-1.0
+#
+# These lines require the user to select a password with a minimum
+# length of 8 and with at least 1 digit number, 1 upper case letter,
+# and 1 other character
+#
+password  required pam_cracklib.so \
+               dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
+password  required pam_pwdb.so use_authtok nullok md5
+
+
+AUTHOR
+
+pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
 
-- 
cgit v1.2.3