pam_cracklib
Cristian Gafton <gafton@sorosis.ro>
Author.
password
Requires the system library libcrack
and a system dictionary:
/usr/lib/cracklib_dict
.
This module can be plugged into the password
stack of a given
application to provide some plug-in strength-checking for passwords.
(XXX - note this does not necessarily work with the pam_unix module,
although it is known to work with the pam_pwdb replacement for the
unix module -- see example and pam_pwdb write up for more
information).
debug
; type=XXX
; retry=N
The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.
The default action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.
The default action may be modified in a number of ways using the arguments recognized by the module:
debug
-
this option makes the module write information to syslog(3) indicating
the behavior of the module (this option does not write password
information to the log file).
type=XXX
-
the default action is for the module to use the following prompts when
requesting passwords: ``New UNIX password: '' and ``Retype UNIX
password: ''. Using this option you can replace the word UNIX with
XXX
.
retry=N
-
the default number of times this module will request a new password
(for strength-checking) from the user is 1. Using this argument this
can be increased to N
.
(At the time of writing, this module can only be stacked before the
pam_pwdb
module. Cracklib strength checking may be compiled by
default into the pam_unix
module.)
For an example of the use of this module, we show how it may be
stacked with the password component of pam_pwdb
:
#
# These lines stack two password type modules. In this example the user
# is given 3 opportunities to enter a strong password. The
# "use_authtok" argument ensures that the pam_pwdb module does not
# prompt for a password, but instead uses the one provided by
# pam_cracklib.
#
passwd password required pam_cracklib.so retry=3
passwd password required pam_pwdb.so use_authtok