aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_cracklib/pam_cracklib.8.xml
diff options
context:
space:
mode:
authorDmitry V. Levin <ldv@altlinux.org>2020-10-29 08:00:00 +0000
committerDmitry V. Levin <ldv@altlinux.org>2020-10-29 08:00:00 +0000
commitd702ff714c309069111899fd07c09e31c414c166 (patch)
tree0e4b5cf2449b8237ec9468faf2bba34c2e865076 /modules/pam_cracklib/pam_cracklib.8.xml
parenta0d402a38d0f043861879b287ac6069cb8a7d4b9 (diff)
downloadpam-d702ff714c309069111899fd07c09e31c414c166.tar.gz
pam-d702ff714c309069111899fd07c09e31c414c166.tar.bz2
pam-d702ff714c309069111899fd07c09e31c414c166.zip
Remove deprecated pam_cracklib module
* ci/install-dependencies.sh: Remove libcrack2-dev. * ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove --enable-cracklib=check. * conf/pam.conf: Remove references to pam_cracklib.so. * configure.ac: Remove --enable-cracklib option. (AC_SUBST): Remove LIBCRACK. (AM_CONDITIONAL): Remove COND_BUILD_PAM_CRACKLIB. (AC_CONFIG_FILES): Remove modules/pam_cracklib/Makefile. * doc/sag/pam_cracklib.xml: Remove. * doc/sag/Linux-PAM_SAG.xml: Do not include pam_cracklib.xml. * modules/Makefile.am (MAYBE_PAM_CRACKLIB): Remove. (SUBDIRS): Remove MAYBE_PAM_CRACKLIB. * modules/pam_cracklib/Makefile.am: Remove. * modules/pam_cracklib/README.xml: Likewise. * modules/pam_cracklib/pam_cracklib.8.xml: Likewise. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_cracklib/tst-pam_cracklib: Likewise. * xtests/tst-pam_cracklib1.c: Likewise. * xtests/tst-pam_cracklib1.pamd: Likewise. * xtests/tst-pam_cracklib2.c: Likewise. * xtests/tst-pam_cracklib2.pamd: Likewise. * modules/pam_pwhistory/pam_pwhistory.8.xml: Replace pam_cracklib in examples with pam_passwdqc. * modules/pam_unix/pam_unix.8.xml: Likewise. * po/POTFILES.in: Remove ./modules/pam_cracklib/pam_cracklib.c. * xtests/.gitignore: Remove tst-pam_cracklib1 and tst-pam_cracklib2. * xtests/Makefile.am (EXTRA_DIST): Remove tst-pam_cracklib1.pamd and tst-pam_cracklib2.pamd. (XTESTS): Remove tst-pam_cracklib1 and tst-pam_cracklib2. * NEWS: Document this change.
Diffstat (limited to 'modules/pam_cracklib/pam_cracklib.8.xml')
-rw-r--r--modules/pam_cracklib/pam_cracklib.8.xml592
1 files changed, 0 insertions, 592 deletions
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml
deleted file mode 100644
index 75e44e2d..00000000
--- a/modules/pam_cracklib/pam_cracklib.8.xml
+++ /dev/null
@@ -1,592 +0,0 @@
-<?xml version="1.0" encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
-
-<refentry id="pam_cracklib">
-
- <refmeta>
- <refentrytitle>pam_cracklib</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
-
- <refnamediv id="pam_cracklib-name">
- <refname>pam_cracklib</refname>
- <refpurpose>PAM module to check the password against dictionary words</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis id="pam_cracklib-cmdsynopsis">
- <command>pam_cracklib.so</command>
- <arg choice="opt">
- <replaceable>...</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1 id="pam_cracklib-description">
-
- <title>DESCRIPTION</title>
-
- <para>
- This module can be plugged into the <emphasis>password</emphasis> stack of
- a given application to provide some plug-in strength-checking for passwords.
- </para>
-
- <para>
- The action of this module is to prompt the user for a password and
- check its strength against a system dictionary and a set of rules for
- identifying poor choices.
- </para>
-
- <para>
- The first action is to prompt for a single password, check its
- strength and then, if it is considered strong, prompt for the password
- a second time (to verify that it was typed correctly on the first
- occasion). All being well, the password is passed on to subsequent
- modules to be installed as the new authentication token.
- </para>
-
- <para>
- The strength checks works in the following manner: at first the
- <function>Cracklib</function> routine is called to check if the password
- is part of a dictionary; if this is not the case an additional set of
- strength checks is done. These checks are:
- </para>
-
- <variablelist>
- <varlistentry>
- <term>Palindrome</term>
- <listitem>
- <para>
- Is the new password a palindrome?
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Case Change Only</term>
- <listitem>
- <para>
- Is the new password the old one with only a change of case?
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Similar</term>
- <listitem>
- <para>
- Is the new password too much like the old one?
- This is primarily controlled by one argument,
- <option>difok</option> which is a number of character changes
- (inserts, removals, or replacements) between the old and new
- password that are enough to accept the new password.
- This defaults to 5 changes.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Simple</term>
- <listitem>
- <para>
- Is the new password too small?
- This is controlled by 6 arguments <option>minlen</option>,
- <option>maxclassrepeat</option>,
- <option>dcredit</option>, <option>ucredit</option>,
- <option>lcredit</option>, and <option>ocredit</option>. See the section
- on the arguments for the details of how these work and there defaults.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Rotated</term>
- <listitem>
- <para>
- Is the new password a rotated version of the old password?
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Same consecutive characters</term>
- <listitem>
- <para>
- Optional check for same consecutive characters.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Too long monotonic character sequence</term>
- <listitem>
- <para>
- Optional check for too long monotonic character sequence.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Contains user name</term>
- <listitem>
- <para>
- Optional check whether the password contains the user's name
- in some form.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- <para>
- This module with no arguments will work well for standard unix
- password encryption. With md5 encryption, passwords can be longer
- than 8 characters and the default settings for this module can make it
- hard for the user to choose a satisfactory new password. Notably, the
- requirement that the new password contain no more than 1/2 of the
- characters in the old password becomes a non-trivial constraint. For
- example, an old password of the form "the quick brown fox jumped over
- the lazy dogs" would be difficult to change... In addition, the
- default action is to allow passwords as small as 5 characters in
- length. For a md5 systems it can be a good idea to increase the
- required minimum size of a password. One can then allow more credit
- for different kinds of characters but accept that the new password may
- share most of these characters with the old password.
- </para>
-
- </refsect1>
-
- <refsect1 id="pam_cracklib-options">
-
- <title>OPTIONS</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- This option makes the module write information to
- <citerefentry>
- <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>
- indicating the behavior of the module (this option does
- not write password information to the log file).
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>authtok_type=<replaceable>XXX</replaceable></option>
- </term>
- <listitem>
- <para>
- The default action is for the module to use the
- following prompts when requesting passwords:
- "New UNIX password: " and "Retype UNIX password: ".
- The example word <emphasis>UNIX</emphasis> can
- be replaced with this option, by default it is empty.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>retry=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- Prompt user at most <replaceable>N</replaceable> times
- before returning with error. The default is
- <emphasis>1</emphasis>.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>difok=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- This argument will change the default of
- <emphasis>5</emphasis> for the number of character
- changes in the new password that differentiate it
- from the old password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>minlen=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- The minimum acceptable size for the new password (plus
- one if credits are not disabled which is the default).
- In addition to the number of characters in the new password,
- credit (of +1 in length) is given for each different kind
- of character (<emphasis>other</emphasis>,
- <emphasis>upper</emphasis>, <emphasis>lower</emphasis> and
- <emphasis>digit</emphasis>). The default for this parameter
- is <emphasis>9</emphasis> which is good for a old style UNIX
- password all of the same type of character but may be too low
- to exploit the added security of a md5 system. Note that
- there is a pair of length limits in
- <emphasis>Cracklib</emphasis> itself, a "way too short" limit
- of 4 which is hard coded in and a defined limit (6) that will
- be checked without reference to <option>minlen</option>.
- If you want to allow passwords as short as 5 characters you
- should not use this module.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>dcredit=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- (N &gt;= 0) This is the maximum credit for having digits in
- the new password. If you have less than or
- <replaceable>N</replaceable>
- digits, each digit will count +1 towards meeting the current
- <option>minlen</option> value. The default for
- <option>dcredit</option> is 1 which is the recommended
- value for <option>minlen</option> less than 10.
- </para>
- <para>
- (N &lt; 0) This is the minimum number of digits that must
- be met for a new password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>ucredit=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- (N &gt;= 0) This is the maximum credit for having upper
- case letters in the new password. If you have less than
- or <replaceable>N</replaceable> upper case letters each
- letter will count +1 towards meeting the current
- <option>minlen</option> value. The default for
- <option>ucredit</option> is <emphasis>1</emphasis> which
- is the recommended value for <option>minlen</option> less
- than 10.
- </para>
- <para>
- (N &lt; 0) This is the minimum number of upper
- case letters that must be met for a new password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>lcredit=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- (N &gt;= 0) This is the maximum credit for having
- lower case letters in the new password. If you have
- less than or <replaceable>N</replaceable> lower case
- letters, each letter will count +1 towards meeting the
- current <option>minlen</option> value. The default for
- <option>lcredit</option> is 1 which is the recommended
- value for <option>minlen</option> less than 10.
- </para>
- <para>
- (N &lt; 0) This is the minimum number of lower
- case letters that must be met for a new password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>ocredit=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- (N &gt;= 0) This is the maximum credit for having other
- characters in the new password. If you have less than or
- <replaceable>N</replaceable> other characters, each
- character will count +1 towards meeting the current
- <option>minlen</option> value. The default for
- <option>ocredit</option> is 1 which is the recommended
- value for <option>minlen</option> less than 10.
- </para>
- <para>
- (N &lt; 0) This is the minimum number of other
- characters that must be met for a new password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>minclass=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- The minimum number of required classes of characters for
- the new password. The default number is zero. The four
- classes are digits, upper and lower letters and other
- characters.
- The difference to the <option>credit</option> check is
- that a specific class if of characters is not required.
- Instead <replaceable>N</replaceable> out of four of the
- classes are required.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>maxrepeat=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- Reject passwords which contain more than N same consecutive
- characters. The default is 0 which means that this check
- is disabled.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>maxsequence=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- Reject passwords which contain monotonic character sequences
- longer than N. The default is 0 which means that this check
- is disabled. Examples of such sequence are '12345' or 'fedcb'.
- Note that most such passwords will not pass the simplicity
- check unless the sequence is only a minor part of the password.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>maxclassrepeat=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- Reject passwords which contain more than N consecutive
- characters of the same class. The default is 0 which means
- that this check is disabled.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>reject_username</option>
- </term>
- <listitem>
- <para>
- Check whether the name of the user in straight or reversed
- form is contained in the new password. If it is found the
- new password is rejected.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>gecoscheck</option>
- </term>
- <listitem>
- <para>
- Check whether the words from the GECOS field (usually full name
- of the user) longer than 3 characters in straight or reversed
- form are contained in the new password. If any such word is
- found the new password is rejected.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>enforce_for_root</option>
- </term>
- <listitem>
- <para>
- The module will return error on failed check also if the user
- changing the password is root. This option is off by default
- which means that just the message about the failed check is
- printed but root can change the password anyway.
- Note that root is not asked for an old password so the checks
- that compare the old and new password are not performed.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>use_authtok</option>
- </term>
- <listitem>
- <para>
- This argument is used to <emphasis>force</emphasis> the
- module to not prompt the user for a new password but use
- the one provided by the previously stacked
- <emphasis>password</emphasis> module.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>dictpath=<replaceable>/path/to/dict</replaceable></option>
- </term>
- <listitem>
- <para>
- Path to the cracklib dictionaries.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id="pam_cracklib-types">
- <title>MODULE TYPES PROVIDED</title>
- <para>
- Only the <option>password</option> module type is provided.
- </para>
- </refsect1>
-
- <refsect1 id='pam_cracklib-return_values'>
- <title>RETURN VALUES</title>
- <para>
- <variablelist>
-
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- The new password passes all checks.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_AUTHTOK_ERR</term>
- <listitem>
- <para>
- No new password was entered,
- the username could not be determined or the new
- password fails the strength checks.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_AUTHTOK_RECOVERY_ERR</term>
- <listitem>
- <para>
- The old password was not supplied by a previous stacked
- module or got not requested from the user.
- The first error can happen if <option>use_authtok</option>
- is specified.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- A internal error occurred.
- </para>
- </listitem>
- </varlistentry>
-
- </variablelist>
- </para>
- </refsect1>
-
- <refsect1 id='pam_cracklib-examples'>
- <title>EXAMPLES</title>
- <para>
- For an example of the use of this module, we show how it may be
- stacked with the password component of
- <citerefentry>
- <refentrytitle>pam_unix</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- <programlisting>
-#
-# These lines stack two password type modules. In this example the
-# user is given 3 opportunities to enter a strong password. The
-# "use_authtok" argument ensures that the pam_unix module does not
-# prompt for a password, but instead uses the one provided by
-# pam_cracklib.
-#
-passwd password required pam_cracklib.so retry=3
-passwd password required pam_unix.so use_authtok
- </programlisting>
- </para>
-
- <para>
- Another example (in the <filename>/etc/pam.d/passwd</filename> format)
- is for the case that you want to use md5 password encryption:
- <programlisting>
-#%PAM-1.0
-#
-# These lines allow a md5 systems to support passwords of at least 14
-# bytes with extra credit of 2 for digits and 2 for others the new
-# password must have at least three bytes that are not present in the
-# old password
-#
-password required pam_cracklib.so \
- difok=3 minlen=15 dcredit= 2 ocredit=2
-password required pam_unix.so use_authtok nullok md5
- </programlisting>
- </para>
-
- <para>
- And here is another example in case you don't want to use credits:
- <programlisting>
-#%PAM-1.0
-#
-# These lines require the user to select a password with a minimum
-# length of 8 and with at least 1 digit number, 1 upper case letter,
-# and 1 other character
-#
-password required pam_cracklib.so \
- dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
-password required pam_unix.so use_authtok nullok md5
- </programlisting>
- </para>
-
- </refsect1>
-
- <refsect1 id='pam_cracklib-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
-
- <refsect1 id='pam_cracklib-author'>
- <title>AUTHOR</title>
- <para>
- pam_cracklib was written by Cristian Gafton &lt;gafton@redhat.com&gt;
- </para>
- </refsect1>
-
-</refentry>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-14 20:26:08 +0000