1.\" Copyright (c) 2000-2003,2005,2008 Solar Designer. 2.\" All rights reserved. 3.\" Copyright (c) 2001 Networks Associates Technology, Inc. 4.\" All rights reserved. 5.\" 6.\" Portions of this software were developed for the FreeBSD Project by 7.\" ThinkSec AS and NAI Labs, the Security Research Division of Network 8.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 9.\" ("CBOSS"), as part of the DARPA CHATS research program. 10.\" 11.\" Redistribution and use in source and binary forms, with or without 12.\" modification, are permitted provided that the following conditions 13.\" are met: 14.\" 1. Redistributions of source code must retain the above copyright 15.\" notice, this list of conditions and the following disclaimer. 16.\" 2. Redistributions in binary form must reproduce the above copyright 17.\" notice, this list of conditions and the following disclaimer in the 18.\" documentation and/or other materials provided with the distribution. 19.\" 3. The name of the author may not be used to endorse or promote 20.\" products derived from this software without specific prior written 21.\" permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" $FreeBSD: src/lib/libpam/modules/pam_passwdqc/pam_passwdqc.8,v 1.4 2002/05/30 14:49:57 ru Exp $ 36.\" $Owl: Owl/packages/pam_passwdqc/pam_passwdqc/pam_passwdqc.8,v 1.11 2008/02/12 20:33:09 solar Exp $ 37.\" 38.Dd February 12, 2008 39.Dt PAM_PASSWDQC 8 40.Os 41.Sh NAME 42.Nm pam_passwdqc 43.Nd Password quality-control PAM module 44.Sh SYNOPSIS 45.Op Ar service-name 46.Ar module-type 47.Ar control-flag 48.Pa pam_passwdqc 49.Op Ar options 50.Sh DESCRIPTION 51The 52.Nm 53module is a simple password strength checking module for 54PAM. 55In addition to checking regular passwords, it offers support for 56passphrases and can provide randomly generated ones. 57.Pp 58The 59.Nm 60module provides functionality for only one PAM management group: 61password changing. 62In terms of the 63.Ar module-type 64parameter, this is the 65.Dq Li password 66feature. 67.Pp 68The 69.Fn pam_chauthtok 70service function may ask the user for a new password, and verify that 71it meets certain minimum standards. 72If the chosen password is unsatisfactory, the service function returns 73.Dv PAM_AUTHTOK_ERR . 74.Pp 75The following options may be passed to the module: 76.Bl -tag -width indent 77.It Xo 78.Sm off 79.Cm min No = Ar N0 , N1 , N2 , N3 , N4 80.Sm on 81.Xc 82.Sm off 83.Pq Cm min No = Cm disabled , No 24 , 11 , 8 , 7 84.Sm on 85The minimum allowed password lengths for different kinds of 86passwords/passphrases. 87The keyword 88.Cm disabled 89can be used to 90disallow passwords of a given kind regardless of their length. 91Each subsequent number is required to be no larger than the preceding 92one. 93.Pp 94.Ar N0 95is used for passwords consisting of characters from one character 96class only. 97The character classes are: digits, lower-case letters, upper-case 98letters, and other characters. 99There is also a special class for 100.No non- Ns Tn ASCII 101characters, which could not be classified, but are assumed to be non-digits. 102.Pp 103.Ar N1 104is used for passwords consisting of characters from two character 105classes that do not meet the requirements for a passphrase. 106.Pp 107.Ar N2 108is used for passphrases. 109Note that besides meeting this length requirement, 110a passphrase must also consist of a sufficient number of words (see the 111.Cm passphrase 112option below). 113.Pp 114.Ar N3 115and 116.Ar N4 117are used for passwords consisting of characters from three 118and four character classes, respectively. 119.Pp 120When calculating the number of character classes, upper-case letters 121used as the first character and digits used as the last character of a 122password are not counted. 123.Pp 124In addition to being sufficiently long, passwords are required to 125contain enough different characters for the character classes and 126the minimum length they have been checked against. 127.Pp 128.It Cm max Ns = Ns Ar N 129.Pq Cm max Ns = Ns 40 130The maximum allowed password length. 131This can be used to prevent users from setting passwords that may be 132too long for some system services. 133The value 8 is treated specially: if 134.Cm max 135is set to 8, passwords longer than 8 characters will not be rejected, 136but will be truncated to 8 characters for the strength checks and the 137user will be warned. 138This is to be used with the traditional DES-based password hashes, 139which truncate the password at 8 characters. 140.Pp 141It is important that you do set 142.Cm max Ns = Ns 8 143if you are using the traditional 144hashes, or some weak passwords will pass the checks. 145.It Cm passphrase Ns = Ns Ar N 146.Pq Cm passphrase Ns = Ns 3 147The number of words required for a passphrase, or 0 to disable the 148support for user-chosen passphrases. 149.It Cm match Ns = Ns Ar N 150.Pq Cm match Ns = Ns 4 151The length of common substring required to conclude that a password is 152at least partially based on information found in a character string, 153or 0 to disable the substring search. 154Note that the password will not be rejected once a weak substring is 155found; it will instead be subjected to the usual strength requirements 156with the weak substring removed. 157.Pp 158The substring search is case-insensitive and is able to detect and 159remove a common substring spelled backwards. 160.It Xo 161.Sm off 162.Cm similar No = Cm permit | deny 163.Sm on 164.Xc 165.Pq Cm similar Ns = Ns Cm deny 166Whether a new password is allowed to be similar to the old one. 167The passwords are considered to be similar when there is a sufficiently 168long common substring and the new password with the substring removed 169would be weak. 170.It Xo 171.Sm off 172.Cm random No = Ar N Op , Cm only 173.Sm on 174.Xc 175.Pq Cm random Ns = Ns 42 176The size of randomly-generated passphrases in bits (24 to 72), 177or 0 to disable this feature. 178Any passphrase that contains the offered randomly-generated string will be 179allowed regardless of other possible restrictions. 180.Pp 181The 182.Cm only 183modifier can be used to disallow user-chosen passwords. 184.It Xo 185.Sm off 186.Cm enforce No = Cm none | users | everyone 187.Sm on 188.Xc 189.Pq Cm enforce Ns = Ns Cm everyone 190The module can be configured to warn of weak passwords only, but not 191actually enforce strong passwords. 192The 193.Cm users 194setting will enforce strong passwords for invocations by non-root users only. 195.It Cm non-unix 196Normally, 197.Nm 198uses 199.Xr getpwnam 3 200to obtain the user's personal login information and use that during 201the password strength checks. 202This behavior can be disabled with the 203.Cm non-unix 204option. 205.It Cm retry Ns = Ns Ar N 206.Pq Cm retry Ns = Ns 3 207The number of times the module will ask for a new password if the user 208fails to provide a sufficiently strong password and enter it twice the 209first time. 210.It Cm ask_oldauthtok Ns Op = Ns Cm update 211Ask for the old password as well. 212Normally, 213.Nm 214leaves this task for subsequent modules. 215With no argument, the 216.Cm ask_oldauthtok 217option will cause 218.Nm 219to ask for the old password during the preliminary check phase. 220If the 221.Cm ask_oldauthtok 222option is specified with the 223.Cm update 224argument, 225.Nm 226will do that during the update phase. 227.It Cm check_oldauthtok 228This tells 229.Nm 230to validate the old password before giving a 231new password prompt. 232Normally, this task is left for subsequent modules. 233.Pp 234The primary use for this option is when 235.Cm ask_oldauthtok Ns = Ns Cm update 236is also specified, in which case no other module gets a chance to ask 237for and validate the password. 238Of course, this will only work with 239.Ux 240passwords. 241.It Cm use_first_pass , use_authtok 242Use the new password obtained by modules stacked before 243.Nm . 244This disables user interaction within 245.Nm . 246The only difference between 247.Cm use_first_pass 248and 249.Cm use_authtok 250is that the former is incompatible with 251.Cm ask_oldauthtok . 252.El 253.Sh SEE ALSO 254.Xr getpwnam 3 , 255.Xr pam.conf 5 , 256.Xr pam 8 257.Sh AUTHORS 258The 259.Nm 260module was written for Openwall GNU/*/Linux by 261.An Solar Designer Aq solar at openwall.com . 262This manual page, derived from the author's documentation, was written 263for the 264.Fx 265Project by 266ThinkSec AS and NAI Labs, the Security Research Division of Network 267Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 268.Pq Dq CBOSS , 269as part of the DARPA CHATS research program. 270