'\" te .\" Copyright (C) 2003, Sun Microsystems, Inc. .\" All Rights Reserved .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] .TH PAM_AUTHTOK_CHECK 7 "August 19, 2023" .SH NAME pam_authtok_check \- authentication and password management module .SH SYNOPSIS .nf \fBpam_authtok_check.so.1\fR .fi .SH DESCRIPTION \fBpam_authtok_check\fR provides functionality to the Password Management stack. The implementation of \fBpam_sm_chauthtok\fR(3PAM) performs a number of checks on the construction of the newly entered password. \fBpam_sm_chauthtok()\fR is invoked twice by the PAM framework, once with flags set to \fBPAM_PRELIM_CHECK\fR, and once with flags set to \fBPAM_UPDATE_AUTHTOK\fR. This module only performs its checks during the first invocation. This module expects the current authentication token in the \fBPAM_OLDAUTHTOK\fR item, the new (to be checked) password in the \fBPAM_AUTHTOK\fR item, and the login name in the \fBPAM_USER\fR item. The checks performed by this module are: .sp .ne 2 .na \fBlength\fR .ad .RS 20n The password length should not be less that the minimum specified in \fB/etc/default/passwd\fR. .RE .sp .ne 2 .na \fBcircular shift\fR .ad .RS 20n The password should not be a circular shift of the login name. This check may be disabled in \fB/etc/default/passwd\fR. .RE .sp .ne 2 .na \fBcomplexity\fR .ad .RS 20n The password should contain at least the minimum number of characters described by the parameters \fBMINALPHA\fR, \fBMINNONALPHA\fR, \fBMINDIGIT\fR, and \fBMINSPECIAL\fR. Note that \fBMINNONALPHA\fR describes the same character classes as \fBMINDIGIT\fR and \fBMINSPECIAL\fR combined; therefore the user cannot specify both \fBMINNONALPHA\fR and \fBMINSPECIAL\fR (or \fBMINDIGIT\fR). The user must choose which of the two options to use. Furthermore, the \fBWHITESPACE\fR parameter determines whether whitespace characters are allowed. If unspecified \fBMINALPHA\fR is 2, \fBMINNONALPHA\fR is 1 and \fBWHITESPACE\fR is yes .RE .sp .ne 2 .na \fBvariation\fR .ad .RS 20n The old and new passwords must differ by at least the \fBMINDIFF\fR value specified in \fB/etc/default/passwd\fR. If unspecified, the default is 3. For accounts in name services which support password history checking, if prior history is defined, the new password must not match the prior passwords. .RE .sp .ne 2 .na \fBdictionary check\fR .ad .RS 20n The password must not be based on a dictionary word. The list of words to be used for the site's dictionary can be specified with \fBDICTIONLIST\fR. It should contain a comma-separated list of filenames, one word per line. The database that is created from these files is stored in the directory named by \fBDICTIONDBDIR\fR (defaults to \fB/var/passwd\fR). See \fBmkpwdict\fR(8) for information on pre-generating the database. If neither \fBDICTIONLIST\fR nor \fBDICTIONDBDIR\fR is specified, no dictionary check is made. .RE .sp .ne 2 .na \fBupper/lower case\fR .ad .RS 20n The password must contain at least the minimum of upper- and lower-case letters specified by the \fBMINUPPER\fR and \fBMINLOWER\fR values in \fB/etc/default/passwd\fR. If unspecified, the defaults are 0. .RE .sp .ne 2 .na \fBmaximum repeats\fR .ad .RS 20n The password must not contain more consecutively repeating characters than specified by the \fBMAXREPEATS\fR value in \fB/etc/default/passwd\fR. If unspecified, no repeat character check is made. .RE .sp .LP The following option may be passed to the module: .sp .ne 2 .na \fBforce_check\fR .ad .RS 15n If the \fBPAM_NO_AUTHTOK_CHECK\fR flag set, \fBforce_check\fR ignores this flag. The \fBPAM_NO_AUTHTOK_CHECK\fR flag can be set to bypass password checks (see \fBpam_chauthtok\fR(3PAM)). .RE .sp .ne 2 .na \fBdebug\fR .ad .RS 15n \fBsyslog\fR(3C) debugging information at the \fBLOG_DEBUG\fR level .RE .SH RETURN VALUES If the password in \fBPAM_AUTHTOK\fR passes all tests, \fBPAM_SUCCESS\fR is returned. If any of the tests fail, \fBPAM_AUTHTOK_ERR\fR is returned. .SH FILES .ne 2 .na \fB/etc/default/passwd\fR .ad .RS 23n See \fBpasswd\fR(1) for a description of the contents. .RE .SH ATTRIBUTES See \fBattributes\fR(7) for descriptions of the following attributes: .sp .sp .TS box; c | c l | l . ATTRIBUTE TYPE ATTRIBUTE VALUE _ Interface Stability Evolving _ MT Level MT-Safe with exceptions .TE .SH SEE ALSO .BR passwd (1), .BR syslog (3C), .BR libpam (3LIB), .BR pam (3PAM), .BR pam_chauthtok (3PAM), .BR pam_sm_chauthtok (3PAM), .BR pam.conf (5), .BR passwd (5), .BR shadow (5), .BR attributes (7), .BR pam_authtok_get (7), .BR pam_authtok_store (7), .BR pam_dhkeys (7), .BR pam_passwd_auth (7), .BR pam_unix_account (7), .BR pam_unix_auth (7), .BR pam_unix_session (7), .BR mkpwdict (8) .SH NOTES The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own \fBPAM\fR handle. .sp .LP The \fBpam_unix\fR(7) module is no longer supported. Similar functionality is provided by \fBpam_authtok_check\fR(7), \fBpam_authtok_get\fR(7), \fBpam_authtok_store\fR(7), \fBpam_dhkeys\fR(7), \fBpam_passwd_auth\fR(7), \fBpam_unix_account\fR(7), \fBpam_unix_auth\fR(7), and \fBpam_unix_session\fR(7).