1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
=pod
=head1 NAME
pwquality.conf - configuration for the libpwquality library
=head1 SYNOPSIS
F</etc/security/pwquality.conf>
F</etc/security/pwquality.conf.d/*.conf>
=head1 DESCRIPTION
B<pwquality.conf> provides a way to configure the default password
quality requirements for the system passwords. This file is read by the
libpwquality library and utilities that use this library for checking
and generating passwords.
The file has a very simple I<name = value> format with possible comments
starting with C<#> character. The whitespace at the beginning of line, end
of line, and around the C<=> sign is ignored.
The libpwquality library also first reads all F<*.conf> files from the
F</etc/security/pwquality.conf.d> directory in ASCII sorted order. The
values of the same settings are overriden in the order the files are parsed.
=head1 OPTIONS
The possible options in the file are:
=over 4
=item B<difok>
Number of characters in the new password that must not be present in the
old password. (default 1)
The special value of 0 disables all checks of similarity of the new password
with the old password except the new password being exactly the same as
the old one.
=item B<minlen>
Minimum acceptable size for the new password (plus one if credits are not
disabled which is the default). (See L<pam_pwquality(8)>.)
Cannot be set to lower value than 6. (default 8)
=item B<dcredit>
The maximum credit for having digits in the new password. If less than 0
it is the minimum number of digits in the new password. (default 0)
=item B<ucredit>
The maximum credit for having uppercase characters in the new password.
If less than 0 it is the minimum number of uppercase characters in the new
password. (default 0)
=item B<lcredit>
The maximum credit for having lowercase characters in the new password.
If less than 0 it is the minimum number of lowercase characters in the new
password. (default 0)
=item B<ocredit>
The maximum credit for having other characters in the new password.
If less than 0 it is the minimum number of other characters in the new
password. (default 0)
=item B<minclass>
The minimum number of required classes of characters for the new
password (digits, uppercase, lowercase, others). (default 0)
=item B<maxrepeat>
The maximum number of allowed same consecutive characters in the new password.
The check is disabled if the value is 0. (default 0)
=item B<maxsequence>
The maximum length of monotonic character sequences in the new password.
Examples of such sequence are '12345' or 'fedcb'. Note
that most such passwords will not pass the simplicity check unless
the sequence is only a minor part of the password.
The check is disabled if the value is 0. (default 0)
=item B<maxclassrepeat>
The maximum number of allowed consecutive characters of the same class in the
new password.
The check is disabled if the value is 0. (default 0)
=item B<gecoscheck>
If nonzero, check whether the words longer than 3 characters from the I<GECOS>
field of the user's L<passwd(5)> entry are contained in the new password.
The check is disabled if the value is 0. (default 0)
=item B<dictcheck>
If nonzero, check whether the password (with possible modifications)
matches a word in a dictionary. Currently the dictionary check is performed
using the cracklib library. (default 1)
=item B<usercheck=>I<N>
If nonzero, check whether the password (with possible modifications)
contains the user name in some form. It is not performed for user names shorter
than 3 characters. (default 1)
=item B<enforcing=>I<N>
If nonzero, reject the password if it fails the checks, otherwise
only print the warning. This setting applies only to the pam_pwquality module
and possibly other applications that explicitly change their behavior
based on it. It does not affect L<pwmake(1)> and L<pwscore(1)>. (default 1)
=item B<badwords>
Space separated list of words that must not be contained in the password. These
are additional words to the cracklib dictionary check. This setting can be
also used by applications to emulate the gecos check for user accounts that are
not created yet.
=item B<dictpath>
Path to the cracklib dictionaries. Default is to use the cracklib default.
=back
=head1 SEE ALSO
L<pwscore(1)>, L<pwmake(1)>, L<pam_pwquality(8)>
=head1 AUTHORS
Tomas Mraz <tmraz@redhat.com>
|
