pam_authtok_check(5) Standards, Environments, and Macros pam_authtok_check(5)
pam_authtok_check - authentication and password management module
pam_authtok_check provides functionality to the Password Management
stack. The implementation of pam_sm_chauthtok() performs a number of
checks on the construction of the newly entered password. pam_sm_chau-
thtok() is invoked twice by the PAM framework, once with flags set to
PAM_PRELIM_CHECK, and once with flags set to PAM_UPDATE_AUTHTOK. This
module only performs its checks during the first invocation. This mod-
ule expects the current authentication token in the PAM_OLDAUTHTOK
item, the new (to be checked) password in the PAM_AUTHTOK item, and the
login name in the PAM_USER item. The checks performed by this module
length The password length should not be less that the minimum
specified in /etc/default/passwd.
circular shift The password should not be a circular shift of the
login name. This check may be disabled in
complexity The password should contain at least the minimum number
of characters described by the parameters MINALPHA,
MINNONALPHA, MINDIGIT, and MINSPECIAL. Note that MIN-
NONALPHA describes the same character classes as
MINDIGIT and MINSPECIAL combined; therefore the user
cannot specify both MINNONALPHA and MINSPECIAL (or
MINDIGIT). The user must choose which of the two
options to use. Furthermore, the WHITESPACE parameter
determines whether whitespace characters are allowed.
If unspecified MINALPHA is 2, MINNONALPHA is 1 and
WHITESPACE is yes
variation The old and new passwords must differ by at least the
MINDIFF value specified in /etc/default/passwd. If
unspecified, the default is 3. For accounts in name
services which support password history checking, if
prior history is defined, the new password must not
match the prior passwords.
dictionary checkThe password must not be based on a dictionary word.
The list of words to be used for the site's dictionary
can be specified with DICTIONLIST. It should contain a
comma-separated list of filenames, one word per line.
The database that is created from these files is stored
in the directory named by DICTIONDBDIR (defaults to
/var/passwd). See mkpwdict(1M) for information on pre-
generating the database. If neither DICTIONLIST nor
DICTIONDBDIR is specified, no dictionary check is made.
upper/lower caseThe password must contain at least the minimum of
upper- and lower-case letters specified by the MINUPPER
and MINLOWER values in /etc/default/passwd. If unspeci-
fied, the defaults are 0.
maximum repeats The password must not contain more consecutively
repeating characters than specified by the MAXREPEATS
value in /etc/default/passwd. If unspecified, no repeat
character check is made.
The following option may be passed to the module:
debug syslog(3C) debugging information at the LOG_DEBUG level
If the password in PAM_AUTHTOK passes all tests, PAM_SUCCESS is
returned. If any of the tests fail, PAM_AUTHTOK_ERR is returned.
/etc/default/passwd See passwd(1) for a description of the con-
See attributes(5) for descriptions of the following attributes:
tab() allbox; cw(2.750000i)| cw(2.750000i) lw(2.750000i)|
lw(2.750000i). ATTRIBUTE TYPEATTRIBUTE VALUE Interface StabilityEvolv-
ing MT LevelMT-Safe with exceptions
passwd(1), pam(3PAM), mkpwdict(1M), pam_chauthtok(3PAM), syslog(3C),
libpam(3LIB), pam.conf(4), passwd(4), shadow(4), attributes(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5),
The interfaces in libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.
The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_authtok_check(5), pam_authtok_get(5), pam_auth-
tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5),
pam_unix_auth(5), and pam_unix_session(5).
SunOS 5.10 4 Jun 2004 pam_authtok_check(5)