Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   16655 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

PAM_AUTHTOK_CHECK(5)					  PAM_AUTHTOK_CHECK(5)

NAME
       pam_authtok_check - authentication and password management module

SYNOPSIS
       pam_authtok_check.so.1

DESCRIPTION
       pam_authtok_check  provides  functionality  to  the Password Management
       stack. The implementation of pam_sm_chauthtok() performs	 a  number  of
       checks on the construction of the newly entered password.  pam_sm_chau‐
       thtok() is invoked twice by the PAM framework, once with flags  set  to
       PAM_PRELIM_CHECK,  and  once with flags set to PAM_UPDATE_AUTHTOK. This
       module only performs its checks during the first invocation. This  mod‐
       ule  expects  the  current  authentication  token in the PAM_OLDAUTHTOK
       item, the new (to be checked) password in the PAM_AUTHTOK item, and the
       login  name  in	the PAM_USER item. The checks performed by this module
       are:

       length
			   The password length should not  be  less  that  the
			   minimum specified in /etc/default/passwd.

       circular shift
			   The	password should not be a circular shift of the
			   login  name.	 This  check  may   be	 disabled   in
			   /etc/default/passwd.

       complexity
			   The	password  should  contain at least the minimum
			   number of characters described  by  the  parameters
			   MINALPHA,  MINNONALPHA,  MINDIGIT,  and MINSPECIAL.
			   Note that MINNONALPHA describes the same  character
			   classes as MINDIGIT and MINSPECIAL combined; there‐
			   fore the user cannot specify both  MINNONALPHA  and
			   MINSPECIAL  (or  MINDIGIT).	 The  user must choose
			   which of the two options to use.  Furthermore,  the
			   WHITESPACE  parameter determines whether whitespace
			   characters are allowed. If unspecified MINALPHA  is
			   2, MINNONALPHA is 1 and WHITESPACE is yes

       variation
			   The	old  and new passwords must differ by at least
			   the MINDIFF value specified in /etc/default/passwd.
			   If  unspecified,  the default is 3. For accounts in
			   name services which support password history check‐
			   ing,	 if prior history is defined, the new password
			   must not match the prior passwords.

       dictionary check
			   The password must not  be  based  on	 a  dictionary
			   word.  The  list of words to be used for the site's
			   dictionary can be specified	with  DICTIONLIST.  It
			   should contain a comma-separated list of filenames,
			   one word per line. The  database  that  is  created
			   from	 these	files is stored in the directory named
			   by DICTIONDBDIR (defaults to /var/passwd). See mkp‐
			   wdict(1M)  for  information	on  pre-generating the
			   database. If neither DICTIONLIST  nor  DICTIONDBDIR
			   is specified, no dictionary check is made.

       upper/lower case
			   The	password  must contain at least the minimum of
			   upper- and lower-case letters specified by the MIN‐
			   UPPER  and  MINLOWER values in /etc/default/passwd.
			   If unspecified, the defaults are 0.

       maximum repeats
			   The password must not  contain  more	 consecutively
			   repeating  characters  than specified by the MAXRE‐
			   PEATS value in /etc/default/passwd. If unspecified,
			   no repeat character check is made.

       The following option may be passed to the module:

       force_check
		      If   the	 PAM_NO_AUTHTOK_CHECK  flag  set,  force_check
		      ignores this flag. The PAM_NO_AUTHTOK_CHECK flag can  be
		      set to bypass password checks (see pam_chauthtok(3PAM)).

       debug
		      syslog(3C) debugging information at the LOG_DEBUG level

RETURN VALUES
       If  the	password  in  PAM_AUTHTOK  passes  all	tests,	PAM_SUCCESS is
       returned. If any of the tests fail, PAM_AUTHTOK_ERR is returned.

FILES
       /etc/default/passwd
			      See passwd(1) for a description of the contents.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌────────────────────┬─────────────────────────┐
       │  ATTRIBUTE TYPE    │	  ATTRIBUTE VALUE     │
       ├────────────────────┼─────────────────────────┤
       │Interface Stability │ Evolving		      │
       ├────────────────────┼─────────────────────────┤
       │MT Level	    │ MT-Safe with exceptions │
       └────────────────────┴─────────────────────────┘

SEE ALSO
       passwd(1), pam(3PAM),  mkpwdict(1M),  pam_chauthtok(3PAM),  syslog(3C),
       libpam(3LIB),   pam.conf(4),   passwd(4),   shadow(4),	attributes(5),
       pam_authtok_get(5),	  pam_authtok_store(5),		pam_dhkeys(5),
       pam_passwd_auth(5),	  pam_unix_account(5),	     pam_unix_auth(5),
       pam_unix_session(5)

NOTES
       The interfaces in libpam(3LIB) are MT-Safe only if each	thread	within
       the multi-threaded application uses its own PAM handle.

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided	  by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).

				  Mar 1, 2005		  PAM_AUTHTOK_CHECK(5)

Vote for polarhome