Standards, Environments, and Macros pamauthtokcheck(5)
NAME
pamauthtokcheck - authentication and password management
module
SYNOPSIS
pamauthtokcheck.so.1
DESCRIPTION
pamauthtokcheck provides functionality to the Password
Management stack. The implementation of pamsmchauthtok()
performs a number of checks on the construction of the newly
entered password. pamsmchauthtok() is invoked twice by the
PAM framework, once with flags set to PAMPRELIMCHECK, and
once with flags set to PAMUPDATEAUTHTOK. This module only
performs its checks during the first invocation. This module
expects the current authentication token in the
PAMOLDAUTHTOK item, the new (to be checked) password in the
PAMAUTHTOK item, and the login name in the PAMUSER item.
The checks performed by this module are:
length The password length should not be less
that the minimum specified in
/etc/default/passwd.
circular shift The password should not be a circular
shift of the login name. This check may
be disabled in /etc/default/passwd.
complexity The password should contain at least the
minimum number of characters described
by the parameters MINALPHA, MINONALPHA,
MINDIGIT, and MINSPECIAL. Note that MIN-
NONALPHA describes the same character
classes as MINDIGIT and MINSPECIAL com-
bined; therefore the user cannot specify
both MINONALPHA and MINSPECIAL (or MIN-
DIGIT). The user must choose which of
the two options to use. Furthermore, the
WHITESPACE parameter determines whether
whitespace characters are allowed. If
unspecified MINALPHA is 2, MINONALPHA
is 1 and WHITESPACE is yes
variation The old and new passwords must differ by
at least the MINDIF value specified in
/etc/default/passwd. If unspecified, the
default is 3. For accounts in name ser-
vices which support password history
SunOS 5.11 Last change: 1 Mar 2005 1
Standards, Environments, and Macros pamauthtokcheck(5)
checking, if prior history is defined,
the new password must not match the
prior passwords.
dictionary check The password must not be based on a dic-
tionary word. The list of words to be
used for the site's dictionary can be
specified with DICTIONLIST. It should
contain a comma-separated list of
filenames, one word per line. The data-
base that is created from these files is
stored in the directory named by DIC-
TIONDBDIR (defaults to /var/passwd). See
mkpwdict(1M) for information on pre-
generating the database. If neither DIC-
TIONLIST nor DICTIONDBDIR is specified,
no dictionary check is made.
upper/lower case The password must contain at least the
minimum of upper- and lower-case letters
specified by the MINUPER and MINLOWER
values in /etc/default/passwd. If
unspecified, the defaults are 0.
maximum repeats The password must not contain more con-
secutively repeating characters than
specified by the MAXREPEATS value in
/etc/default/passwd. If unspecified, no
repeat character check is made.
The following option may be passed to the module:
forcecheck If the PAMNOAUTHTOKCHECK flag set,
forcecheck ignores this flag. The
PAMNOAUTHTOKCHECK flag can be set to
bypass password checks (see
pamchauthtok(3PAM)).
debug syslog(3C) debugging information at the
LOGDEBUG level
RETURN VALUES
If the password in PAMAUTHTOK passes all tests, PAMSUCES
is returned. If any of the tests fail, PAMAUTHTOKER is
returned.
SunOS 5.11 Last change: 1 Mar 2005 2
Standards, Environments, and Macros pamauthtokcheck(5)
FILES
/etc/default/passwd See passwd(1) for a description of
the contents.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Evolving
MT Level MT-Safe with exceptions
SEE ALSO
passwd(1), pam(3PAM), mkpwdict(1M), pamchauthtok(3PAM),
syslog(3C), libpam(3LIB), pam.conf(4), passwd(4), shadow(4),
attributes(5), pamauthtokget(5), pamauthtokstore(5),
pamdhkeys(5), pampasswdauth(5), pamunixaccount(5),
pamunixauth(5), pamunixsession(5)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each
thread within the multi-threaded application uses its own
PAM handle.
The pamunix(5) module is no longer supported. Similar func-
tionality is provided by pamauthtokcheck(5),
pamauthtokget(5), pamauthtokstore(5), pamdhkeys(5),
pampasswdauth(5), pamunixaccount(5), pamunixauth(5),
and pamunixsession(5).
SunOS 5.11 Last change: 1 Mar 2005 3
|
