.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "PWQUALITY.CONF 5" .TH PWQUALITY.CONF 5 "2020-08-03" "Red Hat, Inc." "File Formats Manual" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" pwquality.conf \- configuration for the libpwquality library .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fI/etc/security/pwquality.conf\fR .PP \&\fI/etc/security/pwquality.conf.d/*.conf\fR .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBpwquality.conf\fR provides a way to configure the default password quality requirements for the system passwords. This file is read by the libpwquality library and utilities that use this library for checking and generating passwords. .PP The file has a very simple \fIname = value\fR format with possible comments starting with \f(CW\*(C`#\*(C'\fR character. The whitespace at the beginning of line, end of line, and around the \f(CW\*(C`=\*(C'\fR sign is ignored. .PP The libpwquality library also first reads all \fI*.conf\fR files from the \&\fI/etc/security/pwquality.conf.d\fR directory in \s-1ASCII\s0 sorted order. The values of the same settings are overridden in the order the files are parsed. .SH "OPTIONS" .IX Header "OPTIONS" The possible options in the file are: .IP "\fBdifok\fR" 4 .IX Item "difok" Number of characters in the new password that must not be present in the old password. (default 1) .Sp The special value of 0 disables all checks of similarity of the new password with the old password except the new password being exactly the same as the old one. .IP "\fBminlen\fR" 4 .IX Item "minlen" Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). (See \fBpam_pwquality\fR\|(8).) Cannot be set to lower value than 6. (default 8) .IP "\fBdcredit\fR" 4 .IX Item "dcredit" The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. (default 0) .IP "\fBucredit\fR" 4 .IX Item "ucredit" The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimum number of uppercase characters in the new password. (default 0) .IP "\fBlcredit\fR" 4 .IX Item "lcredit" The maximum credit for having lowercase characters in the new password. If less than 0 it is the minimum number of lowercase characters in the new password. (default 0) .IP "\fBocredit\fR" 4 .IX Item "ocredit" The maximum credit for having other characters in the new password. If less than 0 it is the minimum number of other characters in the new password. (default 0) .IP "\fBminclass\fR" 4 .IX Item "minclass" The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). (default 0) .IP "\fBmaxrepeat\fR" 4 .IX Item "maxrepeat" The maximum number of allowed same consecutive characters in the new password. The check is disabled if the value is 0. (default 0) .IP "\fBmaxsequence\fR" 4 .IX Item "maxsequence" The maximum length of monotonic character sequences in the new password. Examples of such sequence are '12345' or 'fedcb'. Note that most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password. The check is disabled if the value is 0. (default 0) .IP "\fBmaxclassrepeat\fR" 4 .IX Item "maxclassrepeat" The maximum number of allowed consecutive characters of the same class in the new password. The check is disabled if the value is 0. (default 0) .IP "\fBgecoscheck\fR" 4 .IX Item "gecoscheck" If nonzero, check whether the words longer than 3 characters from the \fI\s-1GECOS\s0\fR field of the user's \fBpasswd\fR\|(5) entry are contained in the new password. The check is disabled if the value is 0. (default 0) .IP "\fBdictcheck\fR" 4 .IX Item "dictcheck" If nonzero, check whether the password (with possible modifications) matches a word in a dictionary. Currently the dictionary check is performed using the cracklib library. (default 1) .IP "\fBusercheck=\fR\fIN\fR" 4 .IX Item "usercheck=N" If nonzero, check whether the password (with possible modifications) contains the user name in some form. It is not performed for user names shorter than 3 characters. (default 1) .IP "\fBusersubstr=\fR\fIN\fR" 4 .IX Item "usersubstr=N" If greater than 3 (due to the minimum length in usercheck), check whether the password contains a substring of at least \fIN\fR length in some form. (default 0) .IP "\fBenforcing=\fR\fIN\fR" 4 .IX Item "enforcing=N" If nonzero, reject the password if it fails the checks, otherwise only print the warning. This setting applies only to the pam_pwquality module and possibly other applications that explicitly change their behavior based on it. It does not affect \fBpwmake\fR\|(1) and \fBpwscore\fR\|(1). (default 1) .IP "\fBbadwords\fR" 4 .IX Item "badwords" Space separated list of words that must not be contained in the password. These are additional words to the cracklib dictionary check. This setting can be also used by applications to emulate the gecos check for user accounts that are not created yet. .IP "\fBdictpath\fR" 4 .IX Item "dictpath" Path to the cracklib dictionaries. Default is to use the cracklib default. .IP "\fBretry=\fR\fIN\fR" 4 .IX Item "retry=N" Prompt user at most \fIN\fR times before returning with error. The default is \&\fI1\fR. .IP "\fBenforce_for_root\fR" 4 .IX Item "enforce_for_root" The module will return error on failed check even if the user changing the password is root. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway. Note that root is not asked for an old password so the checks that compare the old and new password are not performed. .IP "\fBlocal_users_only\fR" 4 .IX Item "local_users_only" The module will not test the password quality for users that are not present in the \fI/etc/passwd\fR file. The module still asks for the password so the following modules in the stack can use the \fBuse_authtok\fR option. This option is off by default. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBpwscore\fR\|(1), \fBpwmake\fR\|(1), \fBpam_pwquality\fR\|(8) .SH "AUTHORS" .IX Header "AUTHORS" Tomas Mraz