| PASSWDQC.CONF(5) | File Formats Manual | PASSWDQC.CONF(5) |
passwdqc.conf —
libpasswdqc configuration file
libpasswdqc is a simple password strength checking library. In
addition to checking regular passwords, it offers support for passphrases
and can provide randomly generated ones. A
passwdqc.conf configuration file may be used to
override default libpasswdqc settings.
A passwdqc.conf file consists of 0 or more
lines of the following format:
option=valueEmpty lines and lines beginning with
“#” are ignored. Whitespace characters
between the option,
“=”, and value
are not allowed.
config=FILEpasswdqc.conf format. This file may define any
options described in this manual, including load of yet another
configuration file, but loops are not allowed.min=N0,N1,N2,N3,N4disabled can be used to disallow passwords of a
given kind regardless of their length. Each subsequent number is required
to be no larger than the preceding one.
N0 is used for passwords consisting of characters from one character class only. The character classes are: digits, lower-case letters, upper-case letters, and other characters. There is also a special class for non-ASCII characters, which could not be classified, but are assumed to be non-digits.
N1 is used for passwords consisting of characters from two character classes that do not meet the requirements for a passphrase.
N2 is used for passphrases. Note that
besides meeting this length requirement, a passphrase must also consist
of a sufficient number of words (see the
passphrase option below).
N3 and N4 are used for passwords consisting of characters from three and four character classes, respectively.
When calculating the number of character classes, upper-case letters used as the first character and digits used as the last character of a password are not counted.
In addition to being sufficiently long, passwords are required to contain enough different characters for the character classes and the minimum length they have been checked against.
max=Nmax=40) The maximum allowed password
length. This can be used to prevent users from setting passwords that may
be too long for some system services. The value 8 is treated specially: if
max is set to 8, passwords longer than 8
characters will not be rejected, but will be truncated to 8 characters for
the strength checks and the user will be warned. This is to be used with
the traditional DES-based password hashes, which truncate the password at
8 characters.
It is important that you do set max=8
if you are using the traditional hashes, or some weak passwords will
pass the checks.
passphrase=Npassphrase=3) The number of words
required for a passphrase, or 0 to disable the support for user-chosen
passphrases.match=Nmatch=4) The length of common substring
required to conclude that a password is at least partially based on
information found in a character string, or 0 to disable the substring
search. Note that the password will not be rejected once a weak substring
is found; it will instead be subjected to the usual strength requirements
with the weak substring partially discounted.
The substring search is case-insensitive and is able to detect and remove a common substring spelled backwards.
similar=permit|denysimilar=deny)
Whether a new password is allowed to be similar to the old one. The
passwords are considered to be similar when there is a sufficiently long
common substring and the new password with the substring partially
discounted would be weak.random=N[,only]random=47) The size of
randomly-generated passphrases in bits (24 to 85), or 0 to disable this
feature. Any passphrase that contains the offered randomly-generated
string will be allowed regardless of other possible restrictions.
The only modifier can be used to
disallow user-chosen passwords.
enforce=none|users|everyoneenforce=everyone) The PAM
module can be configured to warn of weak passwords only, but not actually
enforce strong passwords. The users setting will
enforce strong passwords for invocations by non-root users only.non-unixnon-unix option.retry=Nretry=3) The number of times the PAM
module will ask for a new password if the user fails to provide a
sufficiently strong password and enter it twice the first time.ask_oldauthtok[=update]ask_oldauthtok option will cause the PAM module to
ask for the old password during the preliminary check phase. If the
ask_oldauthtok option is specified with the
update argument, the PAM module will do that
during the update phase.check_oldauthtokThe primary use for this option is when
ask_oldauthtok=update is
also specified, in which case no other module gets a chance to ask for
and validate the password. Of course, this will only work with
UNIX passwords.
use_first_pass,
use_authtokuse_first_pass and
use_authtok is that the former is incompatible
with ask_oldauthtok./etc/passwdqc.conf.
http://www.openwall.com/passwdqc/
The pam_passwdqc module was written for Openwall GNU/*/Linux by Solar Designer ⟨solar at openwall.com⟩. This manual page was derived from pam_passwdqc(8). The latter, derived from the author's documentation, was written for the FreeBSD Project by ThinkSec AS and NAI Labs, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.
| March 13, 2010 | Openwall Project |