193787Sdespam_passwdqc is a simple password strength checking module for 293787SdesPAM-aware password changing programs, such as passwd(1). In addition 393787Sdesto checking regular passwords, it offers support for passphrases and 493787Sdescan provide randomly generated passwords. All features are optional 593787Sdesand can be (re-)configured without rebuilding. 693787Sdes 793787SdesThis module should be stacked before your usual password changing 893787Sdesmodule (such as pam_unix or pam_pwdb) in the password management group 993787Sdes(the "password" lines in /etc/pam.d/passwd or /etc/pam.conf). The 1093787Sdespassword changing module should then be told to use the provided new 1193787Sdesauthentication token (new password) rather than request it from the 1293787Sdesuser. There's usually the "use_authtok" option to do that. If your 1393787Sdespassword changing module lacks the "use_authtok" option or its prompts 1493787Sdesare inconsistent with pam_passwdqc's, you may tell pam_passwdqc to ask 1593787Sdesfor the old password as well, with "ask_oldauthtok". In that case the 1693787Sdesoption to use with the password changing module is "use_first_pass". 1793787Sdes 1893787SdesThere's a number of supported options which can be used to modify the 1993787Sdesbehavior of pam_passwdqc (defaults are given in square brackets): 2093787Sdes 2193787Sdes min=N0,N1,N2,N3,N4 [min=disabled,24,12,8,7] 2293787Sdes 2393787SdesThe minimum allowed password lengths, separately for different kinds 2493787Sdesof passwords/passphrases. The special word "disabled" can be used to 2593787Sdesdisallow passwords of a given kind regardless of their length. Each 2693787Sdessubsequent number is required to be no larger than the preceding one. 2793787Sdes 2893787SdesN0 is used for passwords consisting of characters from one character 2993787Sdesclass only. (The character classes are: digits, lower-case letters, 3093787Sdesupper-case letters, and other characters. There's also the special 3193787Sdesclass for non-ASCII characters which couldn't be classified, but are 3293787Sdesassumed to be non-digits.) 3393787Sdes 3493787SdesN1 is used for passwords consisting of characters from two character 3593787Sdesclasses, which don't meet the requirements for a passphrase. 3693787Sdes 3793787SdesN2 is used for passphrases. A passphrase must consist of sufficient 3893787Sdeswords (see the "passphrase" option, below). 3993787Sdes 4093787SdesN3 and N4 are used for passwords consisting of characters from three 4193787Sdesand four character classes, respectively. 4293787Sdes 4393787SdesWhen calculating the number of character classes, upper-case letters 4493787Sdesused as the first character and digits used as the last character of a 4593787Sdespassword are not counted. 4693787Sdes 4793787SdesIn addition to being sufficiently long, passwords are required to 4893787Sdescontain enough different characters for the character classes and 4993787Sdesthe minimum length they've been checked against. 5093787Sdes 5193787Sdes max=N [max=40] 5293787Sdes 5393787SdesThe maximum allowed password length. This can be used to prevent 5493787Sdesusers from setting passwords which may be too long for some system 5593787Sdesservices. 5693787Sdes 5793787SdesThe value 8 is treated specially. Passwords longer than 8 characters 5893787Sdeswill not be rejected, but will be truncated to 8 characters for the 5993787Sdesstrength checks and the user will be warned. This is to be used with 6093787Sdesthe traditional crypt(3) password hashes. 6193787Sdes 6293787SdesIt is important that you do set max=8 if you're using the traditional 6393787Sdeshashes, or some weak passwords will pass the checks. 6493787Sdes 6593787Sdes passphrase=N [passphrase=3] 6693787Sdes 6793787SdesThe number of words required for a passphrase, or 0 to disable the 6893787Sdessupport for passphrases. 6993787Sdes 7093787Sdes match=N [match=4] 7193787Sdes 7293787SdesThe length of common substring required to conclude that a password is 7393787Sdesat least partially based on information found in a character string, 7493787Sdesor 0 to disable the substring search. Note that the password will not 7593787Sdesbe rejected once a weak substring is found. Instead, the password 7693787Sdeswill be subjected to the usual strength requirements with the weak 7793787Sdessubstring removed. 7893787Sdes 7993787SdesThe substring search is case-insensitive and is able to detect and 8093787Sdesremove a common substring spelled backwards. 8193787Sdes 8293787Sdes similar=permit|deny [similar=deny] 8393787Sdes 8493787SdesWhether a new password is allowed to be similar to the old one. The 8593787Sdespasswords are considered to be similar when there's a sufficiently 8693787Sdeslong common substring and the new password with the substring removed 8793787Sdeswould be weak. 8893787Sdes 8993787Sdes random=N[,only] [random=42] 9093787Sdes 9193787SdesThe size of randomly-generated passwords in bits, or 0 to disable this 9293787Sdesfeature. Passwords that contain the offered randomly-generated string 9393787Sdeswill be allowed regardless of other possible restrictions. 9493787Sdes 9593787SdesThe "only" modifier can be used to disallow user-chosen passwords. 9693787Sdes 9793787Sdes enforce=none|users|everyone [enforce=everyone] 9893787Sdes 9993787SdesThe module can be configured to warn of weak passwords only, but not 10093787Sdesactually enforce strong passwords. The "users" setting will enforce 10193787Sdesstrong passwords for non-root users only. 10293787Sdes 10393787Sdes non-unix [] 10493787Sdes 10593787SdesBy default, the module uses getpwnam(3) to obtain the user's personal 10693787Sdeslogin information and use that during the password strength checks. 10793787SdesThis behavior can be disabled with "non-unix". 10893787Sdes 10993787Sdes retry=N [retry=3] 11093787Sdes 11193787SdesThe number of times the module will ask for a new password if the user 11293787Sdesfails to provide a sufficiently strong password and enter it twice the 11393787Sdesfirst time. 11493787Sdes 11593787Sdes ask_oldauthtok[=update] [] 11693787Sdes 11793787SdesAsk for the old password as well. Normally, pam_passwdqc leaves this 11893787Sdestask for the password changing module. A simple "ask_oldauthtok" will 11993787Sdescause pam_passwdqc to ask for the old password during the preliminary 12093787Sdescheck phase. With "ask_oldauthtok=update", pam_passwdqc will do that 12193787Sdesduring the update phase. 12293787Sdes 12393787Sdes check_oldauthtok [] 12493787Sdes 12593787SdesThis tells pam_passwdqc to validate the old password before giving a 12693787Sdesnew password prompt. Normally, this task is left for the password 12793787Sdeschanging module. 12893787Sdes 12993787SdesThe primary use for this option is with "ask_oldauthtok=update" in 13093787Sdeswhich case no other modules have a chance to run and validate the 13193787Sdespassword between the prompts. Of course, this will only work with 13293787SdesUnix passwords. 13393787Sdes 13493787Sdes use_first_pass [] 13593787Sdes use_authtok [] 13693787Sdes 13793787SdesUse the new password obtained by modules stacked before pam_passwdqc. 13893787SdesThis disables user interaction within pam_passwdqc. With this module, 13993787Sdesthe only difference between "use_first_pass" and "use_authtok" is that 14093787Sdesthe former is incompatible with "ask_oldauthtok". 14193787Sdes 14293787Sdes-- 14393787SdesSolar Designer <solar@openwall.com> 144