blob: 5eda65e36e63e08fac0270ffd812e83f7d7c03f2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.de FN
\fI\|\\$1\|\fP
..
.TH PWQUALITY.CONF 5 "10 Nov 2011" "Red Hat, Inc."
.SH NAME
pwquality.conf \- configuration for the libpwquality library
.SH SYNOPSIS
\fB/etc/security/pwquality.conf\fR
.SH DESCRIPTION
\fBpwquality.conf\fR provides a way to configure the default password
quality requirements for the system passwords. This file is read by the
libpwquality library and utilities that use this library for checking
and generating passwords.
The file has a very simple \fIname = value\fR format with possible comments
starting with \fB#\fR character. The whitespace at the beginning of line, end
of line, and around the \fB=\fR sign is ignored.
.PD
.SH OPTIONS
The possible options in the file are:
.RS 4
.PP
\fBdifok\fR
.RS 4
Number of characters in the new password that must not be present in the
old password. (default 5)
.RE
.PP
\fBminlen\fR
.RS 4
Minimum acceptable size for the new password (plus one if credits are not
disabled which is the default). (See \fIpam_pwquality(8)\fR.)
Cannot be set to lower value than 6. (default 9)
.RE
.PP
\fBdcredit\fR
.RS 4
The maximum credit for having digits in the new password. If less than 0
it is the minimum number of digits in the new password. (default 1)
.RE
.PP
\fBucredit\fR
.RS 4
The maximum credit for having uppercase characters in the new password.
If less than 0 it is the minimum number of uppercase characters in the new
password. (default 1)
.RE
.PP
\fBlcredit\fR
.RS 4
The maximum credit for having lowercase characters in the new password.
If less than 0 it is the minimum number of lowercase characters in the new
password. (default 1)
.RE
.PP
\fBocredit\fR
.RS 4
The maximum credit for having other characters in the new password.
If less than 0 it is the minimum number of other characters in the new
password. (default 1)
.RE
.PP
\fBminclass\fR
.RS 4
The minimum number of required classes of characters for the new
password (digits, uppercase, lowercase, others). (default 0)
.RE
.PP
\fBmaxrepeat\fR
.RS 4
The maximum number of allowed same consecutive characters in the new password.
The check is disabled if the value is 0. (default 0)
.RE
.PP
\fBmaxsequence\fR
.RS 4
The maximum length of monotonic character sequences in the new password.
Examples of such sequence are \*(Aq12345\*(Aq or \*(Aqfedcb\*(Aq\&. Note
that most such passwords will not pass the simplicity check unless
the sequence is only a minor part of the password.
The check is disabled if the value is 0. (default 0)
.RE
.PP
\fBmaxclassrepeat\fR
.RS 4
The maximum number of allowed consecutive characters of the same class in the
new password.
The check is disabled if the value is 0. (default 0)
.RE
.PP
\fBgecoscheck\fR
.RS 4
If nonzero, check whether the words longer than 3 characters from the GECOS
field of the user's passwd entry are contained in the new password.
The check is disabled if the value is 0. (default 0)
.RE
.PP
\fBbadwords\fR
.RS 4
Space separated list of words that must not be contained in the password. These
are additional words to the cracklib dictionary check. This setting can be
also used by applications to emulate the gecos check for user accounts that are
not created yet.
.RE
.PP
\fBdictpath\fR
.RS 4
Path to the cracklib dictionaries. Default is to use the cracklib default.
.RE
.PD
.SH "SEE ALSO"
pwscore(1), pwmake(1), pam_pwquality(8)
.SH AUTHORS
.nf
Tomas Mraz <tmraz@redhat.com>
.fi
|
