PAM_AUTHTOK_CHECK(7) Standards, Environments, and Macros PAM_AUTHTOK_CHECK(7)
NAME
pam_authtok_check - authentication and password management module
SYNOPSIS
pam_authtok_check.so.1DESCRIPTION
pam_authtok_check provides functionality to the Password Management
stack. The implementation of
pam_sm_chauthtok(3PAM) performs a number of
checks on the construction of the newly entered password.
pam_sm_chauthtok() is invoked twice by the PAM framework, once with flags
set to
PAM_PRELIM_CHECK, and once with flags set to
PAM_UPDATE_AUTHTOK.
This module only performs its checks during the first invocation. This
module expects the current authentication token in the
PAM_OLDAUTHTOK item, the new (to be checked) password in the
PAM_AUTHTOK item, and the
login name in the
PAM_USER item. The checks performed by this module are:
length The password length should not be less that the
minimum specified in
/etc/default/passwd.
circular shift The password should not be a circular shift of the
login name. This check may be disabled in
/etc/default/passwd.
complexity The password should contain at least the minimum
number of characters described by the parameters
MINALPHA,
MINNONALPHA,
MINDIGIT, and
MINSPECIAL. Note
that
MINNONALPHA describes the same character classes
as
MINDIGIT and
MINSPECIAL combined; therefore the
user cannot specify both
MINNONALPHA and
MINSPECIAL (or
MINDIGIT). The user must choose which of the two
options to use. Furthermore, the
WHITESPACE parameter
determines whether whitespace characters are allowed.
If unspecified
MINALPHA is 2,
MINNONALPHA is 1 and
WHITESPACE is yes
variation The old and new passwords must differ by at least the
MINDIFF value specified in
/etc/default/passwd. If
unspecified, the default is 3. For accounts in name
services which support password history checking, if
prior history is defined, the new password must not
match the prior passwords.
dictionary check The password must not be based on a dictionary word.
The list of words to be used for the site's
dictionary can be specified with
DICTIONLIST. It
should contain a comma-separated list of filenames,
one word per line. The database that is created from
these files is stored in the directory named by
DICTIONDBDIR (defaults to
/var/passwd). See
mkpwdict(8) for information on pre-generating the
database. If neither
DICTIONLIST nor
DICTIONDBDIR is
specified, no dictionary check is made.
upper/lower case The password must contain at least the minimum of
upper- and lower-case letters specified by the
MINUPPER and
MINLOWER values in
/etc/default/passwd.
If unspecified, the defaults are 0.
maximum repeats The password must not contain more consecutively
repeating characters than specified by the
MAXREPEATS value in
/etc/default/passwd. If unspecified, no
repeat character check is made.
The following option may be passed to the module:
force_check If the
PAM_NO_AUTHTOK_CHECK flag set,
force_check ignores
this flag. The
PAM_NO_AUTHTOK_CHECK flag can be set to
bypass password checks (see
pam_chauthtok(3PAM)).
debug syslog(3C) debugging information at the
LOG_DEBUG level
RETURN VALUES
If the password in
PAM_AUTHTOK passes all tests,
PAM_SUCCESS is returned.
If any of the tests fail,
PAM_AUTHTOK_ERR is returned.
FILES
/etc/default/passwd See
passwd(1) for a description of the contents.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Evolving |
+--------------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+--------------------+-------------------------+
SEE ALSO
passwd(1),
syslog(3C),
libpam(3LIB),
pam(3PAM),
pam_chauthtok(3PAM),
pam_sm_chauthtok(3PAM),
pam.conf(5),
passwd(5),
shadow(5),
attributes(7),
pam_authtok_get(7),
pam_authtok_store(7),
pam_dhkeys(7),
pam_passwd_auth(7),
pam_unix_account(7),
pam_unix_auth(7),
pam_unix_session(7),
mkpwdict(8)NOTES
The interfaces in
libpam(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own
PAM handle.
The
pam_unix(7) module is no longer supported. Similar functionality is
provided by
pam_authtok_check(7),
pam_authtok_get(7),
pam_authtok_store(7),
pam_dhkeys(7),
pam_passwd_auth(7),
pam_unix_account(7),
pam_unix_auth(7), and
pam_unix_session(7).
August 19, 2023
PAM_AUTHTOK_CHECK(7)