pam_authtok_check(5) Standards, Environments, and Macros pam_authtok_check(5)NAMEpam_authtok_check - authentication and password management module
SYNOPSIS
pam_authtok_check.so.1
DESCRIPTIONpam_authtok_check provides functionality to the Password Management
stack. The implementation of pam_sm_chauthtok() performs a number of
checks on the construction of the newly entered password. pam_sm_chau‐
thtok() is invoked twice by the PAM framework, once with flags set to
PAM_PRELIM_CHECK, and once with flags set to PAM_UPDATE_AUTHTOK. This
module only performs its checks during the first invocation. This mod‐
ule expects the current authentication token in the PAM_OLDAUTHTOK
item, the new (to be checked) password in the PAM_AUTHTOK item, and the
login name in the PAM_USER item. The checks performed by this module
are:
circular shift The password should not be a circular shift of the
login name. This check can be disabled in
/etc/default/passwd.
complexity The password should contain at least the minimum
number of characters described by the parameters
MINALPHA, MINNONALPHA, MINDIGIT, and MINSPECIAL.
Note that MINNONALPHA describes the same character
classes as MINDIGIT and MINSPECIAL combined; there‐
fore the user cannot specify both MINNONALPHA and
MINSPECIAL (or MINDIGIT). The user must choose
which of the two options to use. Furthermore, the
WHITESPACE parameter determines whether white-space
characters are allowed. If unspecified MINALPHA is
2, MINNONALPHA is 1 and WHITESPACE is yes
dictionary check The password must not be based on a dictionary
word. The list of words to be used for the site's
dictionary can be specified with DICTIONLIST. It
should contain a comma-separated list of filenames,
one word per line. The database that is created
from these files is stored in the directory named
by DICTIONDBDIR (defaults to /var/passwd). See mkp‐
wdict(1M) for information on pre-generating the
database. If neither DICTIONLIST nor DICTIONDBDIR
is specified, no dictionary check is made.
force_check The force_check flag ensures that all callers for
the service are bound by the configure password
strength requirements.
length The password length should not be less that the
minimum specified in /etc/default/passwd.
maximum repeats The password must not contain more consecutively
repeating characters than specified by the MAXRE‐
PEATS value in /etc/default/passwd. If unspecified,
no repeat character check is made.
server_policy If the account authority for the user, as specified
by PAM_USER, is not files or NIS, and if
server_policy is specified, this module does not
perform any password-strength checks. Instead, it
leaves it to the account authority to validate the
new password against its own set of rules.
upper/lower case The password must contain at least the minimum of
upper- and lower-case letters specified by the MIN‐
UPPER and MINLOWER values in /etc/default/passwd.
If unspecified, the defaults are 0.
variation The old and new passwords must differ by at least
the MINDIFF value specified in /etc/default/passwd.
If unspecified, the default is 3. For accounts in
name services which support password history check‐
ing, if prior history is defined, the new password
must not match the prior passwords.
The following option can be passed to the module:
debug syslog(3C) debugging information at the LOG_DEBUG
level
RETURN VALUES
If the password in PAM_AUTHTOK passes all tests, PAM_SUCCESS is
returned. If any of the tests fail, PAM_AUTHTOK_ERR is returned.
FILES
/etc/default/passwd See passwd(1) for a description of the con‐
tents.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Evolving │
├─────────────────────────────┼─────────────────────────────┤
│MT Level │MT-Safe with exceptions │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOpasswd(1), pam(3PAM), mkpwdict(1M), pam_chauthtok(3PAM), syslog(3C),
libpam(3LIB), pam.conf(4), passwd(4), shadow(4), attributes(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
pam_unix_session(5)NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.
The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5),
pam_unix_auth(5), and pam_unix_session(5).
SunOS 5.10 3 Jan 2011 pam_authtok_check(5)