unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

pam_authtok_check(5)  Standards, Environments, and Macros pam_authtok_check(5)



NAME
       pam_authtok_check - authentication and password management module

SYNOPSIS
       pam_authtok_check.so.1

DESCRIPTION
       pam_authtok_check  provides  functionality  to  the Password Management
       stack. The implementation of pam_sm_chauthtok() performs  a  number  of
       checks  on the construction of the newly entered password. pam_sm_chau-
       thtok() is invoked twice by the PAM framework, once with flags  set  to
       PAM_PRELIM_CHECK,  and  once with flags set to PAM_UPDATE_AUTHTOK. This
       module only performs its checks during the first invocation. This  mod-
       ule  expects  the  current  authentication  token in the PAM_OLDAUTHTOK
       item, the new (to be checked) password in the PAM_AUTHTOK item, and the
       login  name  in  the PAM_USER item. The checks performed by this module
       are:

       length          The password length should not be less that the minimum
                       specified in /etc/default/passwd.



       circular shift  The  password  should  not  be  a circular shift of the
                       login   name.   This   check   may   be   disabled   in
                       /etc/default/passwd.



       complexity      The password should contain at least the minimum number
                       of characters described  by  the  parameters  MINALPHA,
                       MINNONALPHA,  MINDIGIT,  and MINSPECIAL. Note that MIN-
                       NONALPHA  describes  the  same  character  classes   as
                       MINDIGIT  and  MINSPECIAL  combined; therefore the user
                       cannot specify  both  MINNONALPHA  and  MINSPECIAL  (or
                       MINDIGIT).  The  user  must  choose  which  of  the two
                       options to use. Furthermore, the  WHITESPACE  parameter
                       determines  whether  whitespace characters are allowed.
                       If unspecified MINALPHA is  2,  MINNONALPHA  is  1  and
                       WHITESPACE is yes



       variation       The  old  and new passwords must differ by at least the
                       MINDIFF  value  specified  in  /etc/default/passwd.  If
                       unspecified,  the  default  is  3. For accounts in name
                       services which support password  history  checking,  if
                       prior  history  is  defined,  the new password must not
                       match the prior passwords.



       dictionary checkThe password must not be based on  a  dictionary  word.
                       The  list of words to be used for the site's dictionary
                       can be specified with DICTIONLIST. It should contain  a
                       comma-separated  list  of filenames, one word per line.
                       The database that is created from these files is stored
                       in  the  directory  named  by DICTIONDBDIR (defaults to
                       /var/passwd). See mkpwdict(1M) for information on  pre-
                       generating  the  database.  If  neither DICTIONLIST nor
                       DICTIONDBDIR is specified, no dictionary check is made.



       upper/lower caseThe password must  contain  at  least  the  minimum  of
                       upper- and lower-case letters specified by the MINUPPER
                       and MINLOWER values in /etc/default/passwd. If unspeci-
                       fied, the defaults are 0.



       maximum repeats The   password  must  not  contain  more  consecutively
                       repeating characters than specified by  the  MAXREPEATS
                       value in /etc/default/passwd. If unspecified, no repeat
                       character check is made.



       The following option may be passed to the module:

       debug           syslog(3C) debugging information at the LOG_DEBUG level



RETURN VALUES
       If the  password  in  PAM_AUTHTOK  passes  all  tests,  PAM_SUCCESS  is
       returned. If any of the tests fail, PAM_AUTHTOK_ERR is returned.

FILES
       /etc/default/passwd     See  passwd(1)  for  a  description of the con-
                               tents.



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE Interface StabilityEvolv-
       ing MT LevelMT-Safe with exceptions


SEE ALSO
       passwd(1), pam(3PAM),  mkpwdict(1M),  pam_chauthtok(3PAM),  syslog(3C),
       libpam(3LIB),   pam.conf(4),   passwd(4),   shadow(4),   attributes(5),
       pam_authtok_get(5),        pam_authtok_store(5),         pam_dhkeys(5),
       pam_passwd_auth(5),        pam_unix_account(5),       pam_unix_auth(5),
       pam_unix_session(5)

NOTES
       The interfaces in libpam(3LIB) are MT-Safe only if each  thread  within
       the multi-threaded application uses its own PAM handle.

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth-
       tok_store(5),  pam_dhkeys(5),  pam_passwd_auth(5), pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).



SunOS 5.10                        4 Jun 2004              pam_authtok_check(5)