'\" te
.\" Copyright (C) 2003, Sun Microsystems, Inc.
.\" All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH PAM_AUTHTOK_CHECK 7 "Mar 1, 2005"
.SH NAME
pam_authtok_check \- authentication and password management module
.SH SYNOPSIS
.LP
.nf
\fBpam_authtok_check.so.1\fR
.fi

.SH DESCRIPTION
.sp
.LP
\fBpam_authtok_check\fR provides functionality to the Password Management
stack. The implementation of \fBpam_sm_chauthtok()\fR performs a number of
checks on the construction of the newly entered password.
\fBpam_sm_chauthtok()\fR is invoked twice by the PAM framework, once with flags
set to \fBPAM_PRELIM_CHECK\fR, and once with flags set to
\fBPAM_UPDATE_AUTHTOK\fR. This module only performs its checks during the first
invocation. This module expects the current authentication token in the
\fBPAM_OLDAUTHTOK\fR item, the new (to be checked) password in the
\fBPAM_AUTHTOK\fR item, and the login name in the \fBPAM_USER\fR item. The
checks performed by this module are:
.sp
.ne 2
.na
\fBlength\fR
.ad
.RS 20n
The password length should not be less that the minimum specified in
\fB/etc/default/passwd\fR.
.RE

.sp
.ne 2
.na
\fBcircular shift\fR
.ad
.RS 20n
The password should not be a circular shift of the login name. This check may
be disabled in \fB/etc/default/passwd\fR.
.RE

.sp
.ne 2
.na
\fBcomplexity\fR
.ad
.RS 20n
The password should contain at least the minimum number of characters described
by the parameters \fBMINALPHA\fR, \fBMINNONALPHA\fR, \fBMINDIGIT\fR, and
\fBMINSPECIAL\fR. Note that \fBMINNONALPHA\fR describes the same character
classes as \fBMINDIGIT\fR and \fBMINSPECIAL\fR combined; therefore the user
cannot specify both \fBMINNONALPHA\fR and \fBMINSPECIAL\fR (or \fBMINDIGIT\fR).
The user must choose which of the two options to use. Furthermore, the
\fBWHITESPACE\fR parameter determines whether whitespace characters are
allowed. If unspecified \fBMINALPHA\fR is 2, \fBMINNONALPHA\fR is 1 and
\fBWHITESPACE\fR is yes
.RE

.sp
.ne 2
.na
\fBvariation\fR
.ad
.RS 20n
The old and new passwords must differ by at least the \fBMINDIFF\fR value
specified in \fB/etc/default/passwd\fR. If unspecified, the default is 3. For
accounts in name services which support password history checking, if prior
history is defined, the new password must not match the prior passwords.
.RE

.sp
.ne 2
.na
\fBdictionary check\fR
.ad
.RS 20n
The password must not be based on a dictionary word. The list of words to be
used for the site's dictionary can be specified with \fBDICTIONLIST\fR. It
should contain a comma-separated list of filenames, one word per line. The
database that is created from these files is stored in the directory named by
\fBDICTIONDBDIR\fR (defaults to \fB/var/passwd\fR). See \fBmkpwdict\fR(8) for
information on pre-generating the database. If neither \fBDICTIONLIST\fR nor
\fBDICTIONDBDIR\fR is specified, no dictionary check is made.
.RE

.sp
.ne 2
.na
\fBupper/lower case\fR
.ad
.RS 20n
The password must contain at least the minimum of upper- and lower-case letters
specified by the \fBMINUPPER\fR and \fBMINLOWER\fR values in
\fB/etc/default/passwd\fR. If unspecified, the defaults are 0.
.RE

.sp
.ne 2
.na
\fBmaximum repeats\fR
.ad
.RS 20n
The password must not contain more consecutively repeating characters than
specified by the \fBMAXREPEATS\fR value in \fB/etc/default/passwd\fR. If
unspecified, no repeat character check is made.
.RE

.sp
.LP
The following option may be passed to the module:
.sp
.ne 2
.na
\fBforce_check\fR
.ad
.RS 15n
If the \fBPAM_NO_AUTHTOK_CHECK\fR flag set, \fBforce_check\fR ignores this
flag. The \fBPAM_NO_AUTHTOK_CHECK\fR flag can be set to bypass password checks
(see \fBpam_chauthtok\fR(3PAM)).
.RE

.sp
.ne 2
.na
\fBdebug\fR
.ad
.RS 15n
\fBsyslog\fR(3C) debugging information at the \fBLOG_DEBUG\fR level
.RE

.SH RETURN VALUES
.sp
.LP
If the password in \fBPAM_AUTHTOK\fR passes all tests, \fBPAM_SUCCESS\fR is
returned. If any of the tests fail, \fBPAM_AUTHTOK_ERR\fR is returned.
.SH FILES
.sp
.ne 2
.na
\fB/etc/default/passwd\fR
.ad
.RS 23n
See \fBpasswd\fR(1) for a description of the contents.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	Evolving
_
MT Level	MT-Safe with exceptions
.TE

.SH SEE ALSO
.sp
.LP
.BR passwd (1),
.BR syslog (3C),
.BR libpam (3LIB),
.BR pam (3PAM),
.BR pam_chauthtok (3PAM),
.BR pam.conf (5),
.BR passwd (5),
.BR shadow (5),
.BR attributes (7),
.BR pam_authtok_get (7),
.BR pam_authtok_store (7),
.BR pam_dhkeys (7),
.BR pam_passwd_auth (7),
.BR pam_unix_account (7),
.BR pam_unix_auth (7),
.BR pam_unix_session (7),
.BR mkpwdict (8)
.SH NOTES
.sp
.LP
The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own \fBPAM\fR handle.
.sp
.LP
The \fBpam_unix\fR(7) module is no longer supported. Similar functionality is
provided by \fBpam_authtok_check\fR(7), \fBpam_authtok_get\fR(7),
\fBpam_authtok_store\fR(7), \fBpam_dhkeys\fR(7), \fBpam_passwd_auth\fR(7),
\fBpam_unix_account\fR(7), \fBpam_unix_auth\fR(7), and
\fBpam_unix_session\fR(7).