Tribblix: manual page: pam_authtok

PAM_AUTHTOK_CHECK(7) Standards, Environments, and Macros

NAME

pam_authtok_check - authentication and password management module

SYNOPSIS

pam_authtok_check.so.1

DESCRIPTION

pam_authtok_check provides functionality to the Password Management
stack. The implementation of pam_sm_chauthtok(3PAM) performs a number
of checks on the construction of the newly entered password.
pam_sm_chauthtok() is invoked twice by the PAM framework, once with
flags set to PAM_PRELIM_CHECK, and once with flags set to
PAM_UPDATE_AUTHTOK. This module only performs its checks during the
first invocation. This module expects the current authentication
token in the PAM_OLDAUTHTOK item, the new (to be checked) password in
the PAM_AUTHTOK item, and the login name in the PAM_USER item. The
checks performed by this module are:

length
The password length should not be less that the
minimum specified in /etc/default/passwd.

circular shift
The password should not be a circular shift of
the login name. This check may be disabled in
/etc/default/passwd.

complexity
The password should contain at least the minimum
number of characters described by the parameters
MINALPHA, MINNONALPHA, MINDIGIT, and MINSPECIAL.
Note that MINNONALPHA describes the same
character classes as MINDIGIT and MINSPECIAL
combined; therefore the user cannot specify both
MINNONALPHA and MINSPECIAL (or MINDIGIT). The
user must choose which of the two options to use.
Furthermore, the WHITESPACE parameter determines
whether whitespace characters are allowed. If
unspecified MINALPHA is 2, MINNONALPHA is 1 and
WHITESPACE is yes

variation
The old and new passwords must differ by at least
the MINDIFF value specified in
/etc/default/passwd. If unspecified, the default
is 3. For accounts in name services which support
password history checking, if prior history is
defined, the new password must not match the
prior passwords.

dictionary check
The password must not be based on a dictionary
word. The list of words to be used for the site's
dictionary can be specified with DICTIONLIST. It
should contain a comma-separated list of
filenames, one word per line. The database that
is created from these files is stored in the
directory named by DICTIONDBDIR (defaults to
/var/passwd). See mkpwdict(8) for information on
pre-generating the database. If neither
DICTIONLIST nor DICTIONDBDIR is specified, no
dictionary check is made.

upper/lower case
The password must contain at least the minimum of
upper- and lower-case letters specified by the
MINUPPER and MINLOWER values in
/etc/default/passwd. If unspecified, the defaults
are 0.

maximum repeats
The password must not contain more consecutively
repeating characters than specified by the
MAXREPEATS value in /etc/default/passwd. If
unspecified, no repeat character check is made.

The following option may be passed to the module:

force_check
If the PAM_NO_AUTHTOK_CHECK flag set, force_check
ignores this flag. The PAM_NO_AUTHTOK_CHECK flag can
be set to bypass password checks (see
pam_chauthtok(3PAM)).

debug
syslog(3C) debugging information at the LOG_DEBUG
level

RETURN VALUES

If the password in PAM_AUTHTOK passes all tests, PAM_SUCCESS is
returned. If any of the tests fail, PAM_AUTHTOK_ERR is returned.

FILES

/etc/default/passwd
See passwd(1) for a description of the
contents.

ATTRIBUTES

NOTES

The interfaces in libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.

The pam_unix(7) module is no longer supported. Similar functionality
is provided by pam_authtok_check(7), pam_authtok_get(7),
pam_authtok_store(7), pam_dhkeys(7), pam_passwd_auth(7),
pam_unix_account(7), pam_unix_auth(7), and pam_unix_session(7).

August 19, 2023 PAM_AUTHTOK_CHECK(7)