diff options
Diffstat (limited to 'source/a/shadow/pam.d/system-auth')
| -rw-r--r-- | source/a/shadow/pam.d/system-auth | 70 |
1 files changed, 24 insertions, 46 deletions
diff --git a/source/a/shadow/pam.d/system-auth b/source/a/shadow/pam.d/system-auth index 5fa10c80..98b4afbc 100644 --- a/source/a/shadow/pam.d/system-auth +++ b/source/a/shadow/pam.d/system-auth @@ -1,7 +1,7 @@ #%PAM-1.0 # # Most of these PAM modules have man pages included, like -# PAM_UNIX(8) for example. +# pam_unix(8) for example. # ################## @@ -35,52 +35,30 @@ account required pam_unix.so account sufficient pam_succeed_if.so uid < 100 quiet account required pam_permit.so -##################### -# Password handling # -##################### -# -# If you have CrackLib installed and enabled -# -# Passwords will be checked against a huge dictionary and need to -# have at least 6 characters (cracklib can't use 5). Some options -# of cracklib modules are: -# -# difok Number of characters that needs to be different -# between old and new characters -# minlen Password minimal length -# retry How many times the user can try bad new passwords -# dcredit,ocredit,ucredit,lcredit -# Digiti, Others, Uppercase, Lowercase characters -# Positive numbers marks the max number of credits given -# by one character class. With dcredit=5 and minlen=6, you -# can't use a full numeric password because more than 5 -# digit characters doesn't count credits to achieve the -# minimal length -# Negative numbers determine that a password needs to have -# at least N characters -# -# You can see many other pam_cracklib options at pam_cracklib(8) manpage -# -# Also, the "use_authtok" option for pam_unix is for working with pam_cracklib -# in sharing the password stack. See pam_unix(8) for more details. -# -# If you need to use CrackLib to enforce your passwords, uncomment -# two statements: -#password requisite pam_cracklib.so retry=3 minlen=6 \ -# difok=1 dcredit=5 ocredit=5 ucredit=5 lcredit=5 -#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok -# -# -- -# A less intense option for cracklib, is: -#password requisite pam_cracklib.so retry=3 -#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok -# -- -# The default is the "traditional" way without CrackLib. -# Passwords need to have at least 8 characters. If you are using Cracklib, -# please comment the next statement. -password sufficient pam_unix.so nullok sha512 shadow minlen=8 +############################# +# Password quality checking # +############################# +# +# Please note that unless cracklib and libpwquality are installed, setting +# passwords will not work unless the lines for the pam_pwquality module are +# commented out and the line for the traditional no-quality-check password +# changing is uncommented. +# +# The pam_pwquality module will check the quality of a user-supplied password +# against the dictionary installed for cracklib. Other tests are (or may be) +# done as well - see: man pam_pwquality +# +# Default password quality checking with pam_pwquality. If you don't want +# password quality checking, comment out these two lines and uncomment the +# traditional password handling line below. +password requisite pam_pwquality.so minlen=6 retry=3 +password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok + +# Traditional password handling without pam_pwquality password checking. +# Commented out by default to use the two pam_pwquality lines above. +#password sufficient pam_unix.so nullok sha512 shadow minlen=6 -# ATTENTION: keep the line for pam_deny.so +# ATTENTION: always keep this line for pam_deny.so: password required pam_deny.so ######################### |