summaryrefslogtreecommitdiff
path: root/source/a/shadow/pam.d/system-auth
diff options
context:
space:
mode:
Diffstat (limited to 'source/a/shadow/pam.d/system-auth')
-rw-r--r--source/a/shadow/pam.d/system-auth70
1 files changed, 24 insertions, 46 deletions
diff --git a/source/a/shadow/pam.d/system-auth b/source/a/shadow/pam.d/system-auth
index 5fa10c80..98b4afbc 100644
--- a/source/a/shadow/pam.d/system-auth
+++ b/source/a/shadow/pam.d/system-auth
@@ -1,7 +1,7 @@
#%PAM-1.0
#
# Most of these PAM modules have man pages included, like
-# PAM_UNIX(8) for example.
+# pam_unix(8) for example.
#
##################
@@ -35,52 +35,30 @@ account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so
-#####################
-# Password handling #
-#####################
-#
-# If you have CrackLib installed and enabled
-#
-# Passwords will be checked against a huge dictionary and need to
-# have at least 6 characters (cracklib can't use 5). Some options
-# of cracklib modules are:
-#
-# difok Number of characters that needs to be different
-# between old and new characters
-# minlen Password minimal length
-# retry How many times the user can try bad new passwords
-# dcredit,ocredit,ucredit,lcredit
-# Digiti, Others, Uppercase, Lowercase characters
-# Positive numbers marks the max number of credits given
-# by one character class. With dcredit=5 and minlen=6, you
-# can't use a full numeric password because more than 5
-# digit characters doesn't count credits to achieve the
-# minimal length
-# Negative numbers determine that a password needs to have
-# at least N characters
-#
-# You can see many other pam_cracklib options at pam_cracklib(8) manpage
-#
-# Also, the "use_authtok" option for pam_unix is for working with pam_cracklib
-# in sharing the password stack. See pam_unix(8) for more details.
-#
-# If you need to use CrackLib to enforce your passwords, uncomment
-# two statements:
-#password requisite pam_cracklib.so retry=3 minlen=6 \
-# difok=1 dcredit=5 ocredit=5 ucredit=5 lcredit=5
-#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
-#
-# --
-# A less intense option for cracklib, is:
-#password requisite pam_cracklib.so retry=3
-#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
-# --
-# The default is the "traditional" way without CrackLib.
-# Passwords need to have at least 8 characters. If you are using Cracklib,
-# please comment the next statement.
-password sufficient pam_unix.so nullok sha512 shadow minlen=8
+#############################
+# Password quality checking #
+#############################
+#
+# Please note that unless cracklib and libpwquality are installed, setting
+# passwords will not work unless the lines for the pam_pwquality module are
+# commented out and the line for the traditional no-quality-check password
+# changing is uncommented.
+#
+# The pam_pwquality module will check the quality of a user-supplied password
+# against the dictionary installed for cracklib. Other tests are (or may be)
+# done as well - see: man pam_pwquality
+#
+# Default password quality checking with pam_pwquality. If you don't want
+# password quality checking, comment out these two lines and uncomment the
+# traditional password handling line below.
+password requisite pam_pwquality.so minlen=6 retry=3
+password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
+
+# Traditional password handling without pam_pwquality password checking.
+# Commented out by default to use the two pam_pwquality lines above.
+#password sufficient pam_unix.so nullok sha512 shadow minlen=6
-# ATTENTION: keep the line for pam_deny.so
+# ATTENTION: always keep this line for pam_deny.so:
password required pam_deny.so
#########################