Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   31170 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

PASSWDQC.CONF(5)	    BSD File Formats Manual	      PASSWDQC.CONF(5)

NAME
     passwdqc.conf — libpasswdqc configuration file

DESCRIPTION
     libpasswdqc is a simple password strength checking library.  In addition
     to checking regular passwords, it offers support for passphrases and can
     provide randomly generated ones.  A passwdqc.conf configuration file may
     be used to override default libpasswdqc settings.

FORMAT
     A passwdqc.conf file consists of 0 or more lines of the following format:
	   option=value

     Empty lines and lines beginning with “#” are ignored.  Whitespace charac‐
     ters between the option, “=”, and value are not allowed.

DIRECTIVE OPTIONS
     config=FILE
	     Load the specified configuration FILE in the passwdqc.conf for‐
	     mat.  This file may define any options described in this manual,
	     including load of yet another configuration file, but loops are
	     not allowed.

PASSWORD QUALITY CONTROL OPTIONS
     min=N0,N1,N2,N3,N4
	     (default: min=disabled,24,11,8,7) The minimum allowed password
	     lengths for different kinds of passwords/passphrases.  The key‐
	     word disabled can be used to disallow passwords of a given kind
	     regardless of their length.  Each subsequent number is required
	     to be no larger than the preceding one.

	     N0 is used for passwords consisting of characters from one char‐
	     acter class only.	The character classes are: digits, lower-case
	     letters, upper-case letters, and other characters.	 There is also
	     a special class for non-ASCII characters, which could not be
	     classified, but are assumed to be non-digits.

	     N1 is used for passwords consisting of characters from two char‐
	     acter classes that do not meet the requirements for a passphrase.

	     N2 is used for passphrases.  Note that besides meeting this
	     length requirement, a passphrase must also consist of a suffi‐
	     cient number of words (see the passphrase option below).

	     N3 and N4 are used for passwords consisting of characters from
	     three and four character classes, respectively.

	     When calculating the number of character classes, upper-case let‐
	     ters used as the first character and digits used as the last
	     character of a password are not counted.

	     In addition to being sufficiently long, passwords are required to
	     contain enough different characters for the character classes and
	     the minimum length they have been checked against.

     max=N   (default: max=40) The maximum allowed password length.  This can
	     be used to prevent users from setting passwords that may be too
	     long for some system services.  The value 8 is treated specially:
	     if max is set to 8, passwords longer than 8 characters will not
	     be rejected, but will be truncated to 8 characters for the
	     strength checks and the user will be warned.  This is to be used
	     with the traditional DES-based password hashes, which truncate
	     the password at 8 characters.

	     It is important that you do set max=8 if you are using the tradi‐
	     tional hashes, or some weak passwords will pass the checks.

     passphrase=N
	     (default: passphrase=3) The number of words required for a
	     passphrase, or 0 to disable the support for user-chosen
	     passphrases.

     match=N
	     (default: match=4) The length of common substring required to
	     conclude that a password is at least partially based on informa‐
	     tion found in a character string, or 0 to disable the substring
	     search.  Note that the password will not be rejected once a weak
	     substring is found; it will instead be subjected to the usual
	     strength requirements with the weak substring partially dis‐
	     counted.

	     The substring search is case-insensitive and is able to detect
	     and remove a common substring spelled backwards.

     similar=permit|deny
	     (default: similar=deny) Whether a new password is allowed to be
	     similar to the old one.  The passwords are considered to be simi‐
	     lar when there is a sufficiently long common substring and the
	     new password with the substring partially discounted would be
	     weak.

     random=N[,only]
	     (default: random=47) The size of randomly-generated passphrases
	     in bits (26 to 81), or 0 to disable this feature.	Any passphrase
	     that contains the offered randomly-generated string will be
	     allowed regardless of other possible restrictions.

	     The only modifier can be used to disallow user-chosen passwords.

PAM MODULE OPTIONS
     enforce=none|users|everyone
	     (default: enforce=everyone) The PAM module can be configured to
	     warn of weak passwords only, but not actually enforce strong
	     passwords.	 The users setting will enforce strong passwords for
	     invocations by non-root users only.

     non-unix
	     Normally, the PAM module uses getpwnam(3) to obtain the user's
	     personal login information and use that during the password
	     strength checks.  This behavior can be disabled with the non-unix
	     option.

     retry=N
	     (default: retry=3) The number of times the PAM module will ask
	     for a new password if the user fails to provide a sufficiently
	     strong password and enter it twice the first time.

     ask_oldauthtok[=update]
	     Ask for the old password as well.	Normally, the PAM module
	     leaves this task for subsequent modules.  With no argument, the
	     ask_oldauthtok option will cause the PAM module to ask for the
	     old password during the preliminary check phase. If the
	     ask_oldauthtok option is specified with the update argument, the
	     PAM module will do that during the update phase.

     check_oldauthtok
	     This tells the PAM module to validate the old password before
	     giving a new password prompt.  Normally, this task is left for
	     subsequent modules.

	     The primary use for this option is when ask_oldauthtok=update is
	     also specified, in which case no other module gets a chance to
	     ask for and validate the password.	 Of course, this will only
	     work with UNIX passwords.

     use_first_pass, use_authtok
	     Use the new password obtained by other modules stacked before the
	     PAM module.  This disables user interaction within the PAM mod‐
	     ule.  The only difference between use_first_pass and use_authtok
	     is that the former is incompatible with ask_oldauthtok.

FILES
     /etc/passwdqc.conf.

SEE ALSO
     getpwnam(3), pam_passwdqc(8).

     http://www.openwall.com/passwdqc/

AUTHORS
     The pam_passwdqc module was written for Openwall GNU/*/Linux by Solar
     Designer ⟨solar at openwall.com⟩.	This manual page was derived from
     pam_passwdqc(8). The latter, derived from the author's documentation, was
     written for the FreeBSD Project by ThinkSec AS and NAI Labs, the Security
     Research Division of Network Associates, Inc. under DARPA/SPAWAR contract
     N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.

Openwall Project		March 13, 2010		      Openwall Project

Vote for polarhome