'\" te
.\" Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
.TH pam_authtok_check 5 "13 Feb 2014" "SunOS 5.11" "Standards, Environments, and Macros"
.SH NAME
pam_authtok_check \- authentication and password management module
.SH SYNOPSIS
.LP
.nf
\fBpam_authtok_check.so.1\fR
.fi

.SH DESCRIPTION
.sp
.LP
\fBpam_authtok_check\fR provides functionality to the Password Management stack. The implementation of \fBpam_sm_chauthtok()\fR performs a number of checks on the construction of the newly entered password. \fBpam_sm_chauthtok()\fR is invoked twice by the PAM framework, once with flags set to \fBPAM_PRELIM_CHECK\fR, and once with flags set to \fBPAM_UPDATE_AUTHTOK\fR. This module only performs its checks during the first invocation. This module expects the current authentication token in the \fBPAM_OLDAUTHTOK\fR item, the new (to be checked) password in the \fBPAM_AUTHTOK\fR item, and the login name in the \fBPAM_USER\fR item. The checks performed by this module are:
.sp
.ne 2
.mk
.na
\fBlength\fR
.ad
.RS 20n
.rt  
The password length should not be less that the minimum specified in \fB/etc/default/passwd\fR.
.RE

.sp
.ne 2
.mk
.na
\fBcircular shift\fR
.ad
.RS 20n
.rt  
The password should not be a circular shift of the login name. This check may be disabled in \fB/etc/default/passwd\fR.
.RE

.sp
.ne 2
.mk
.na
\fBcomplexity\fR
.ad
.RS 20n
.rt  
The password should contain at least the minimum number of characters described by the parameters \fBMINALPHA\fR, \fBMINNONALPHA\fR, \fBMINDIGIT\fR, and \fBMINSPECIAL\fR. Note that \fBMINNONALPHA\fR describes the same character classes as \fBMINDIGIT\fR and \fBMINSPECIAL\fR combined; therefore the user cannot specify both \fBMINNONALPHA\fR and \fBMINSPECIAL\fR (or \fBMINDIGIT\fR). The user must choose which of the two options to use. Furthermore, the \fBWHITESPACE\fR parameter determines whether whitespace characters are allowed. If unspecified \fBMINALPHA\fR is 2, \fBMINNONALPHA\fR is 1 and \fBWHITESPACE\fR is yes
.RE

.sp
.ne 2
.mk
.na
\fBvariation\fR
.ad
.RS 20n
.rt  
The old and new passwords must differ by at least the \fBMINDIFF\fR value specified in \fB/etc/default/passwd\fR. If unspecified, the default is 3. For accounts in name services which support password history checking, if prior history is defined, the new password must not match the prior passwords.
.RE

.sp
.ne 2
.mk
.na
\fBdictionary check\fR
.ad
.RS 20n
.rt  
The password must not be based on a dictionary word. The list of words to be used for the site's dictionary can be specified with \fBDICTIONLIST \fR. It should contain a comma-separated list of filenames. The database that is created from these files is stored in the directory named by \fBDICTIONDBDIR \fR (defaults to \fB/var/passwd\fR). See \fBmkpwdict\fR(1M) for information on the dictionary format and on pre-generating the database. If neither \fBDICTIONLIST \fR nor \fBDICTIONDBDIR\fR is specified, no dictionary check is made. \fBDICTIONMINWORDLENGTH\fR is used to filter words from \fBDICTIONLIST\fR shorter than the specified minimum word length.
.RE

.sp
.ne 2
.mk
.na
\fBupper/lower case\fR
.ad
.RS 20n
.rt  
The password must contain at least the minimum of upper- and lower-case letters specified by the \fBMINUPPER\fR and \fBMINLOWER\fR values in \fB/etc/default/passwd\fR. If unspecified, the defaults are 0.
.RE

.sp
.ne 2
.mk
.na
\fBmaximum repeats\fR
.ad
.RS 20n
.rt  
The password must not contain more consecutively repeating characters than specified by the \fBMAXREPEATS\fR value in \fB/etc/default/passwd\fR. If unspecified, no repeat character check is made.
.RE

.sp
.LP
The following option may be passed to the module:
.sp
.ne 2
.mk
.na
\fBforce_check\fR
.ad
.RS 17n
.rt  
If the \fBPAM_NO_AUTHTOK_CHECK\fR flag set, \fBforce_check\fR ignores this flag. The \fBPAM_NO_AUTHTOK_CHECK\fR flag can be set to bypass password checks (see \fBpam_chauthtok\fR(3PAM)).
.RE

.sp
.ne 2
.mk
.na
\fB\fBserver_policy\fR\fR
.ad
.RS 17n
.rt  
If the account authority for the user, as specified by \fBPAM_USER\fR, is not files or NIS, and if \fBserver_policy\fR is specified, this module does not perform any password-strength checks. Instead, it leaves it to the account authority to validate the new password against its own set of rules.
.RE

.sp
.ne 2
.mk
.na
\fBdebug\fR
.ad
.RS 17n
.rt  
\fBsyslog\fR(3C) debugging information at the \fBLOG_DEBUG\fR level
.RE

.SH RETURN VALUES
.sp
.LP
If the password in \fBPAM_AUTHTOK\fR passes all tests, \fBPAM_SUCCESS\fR is returned. If any of the tests fail, \fBPAM_AUTHTOK_ERR\fR is returned. 
.SH FILES
.sp
.ne 2
.mk
.na
\fB/etc/default/passwd\fR
.ad
.RS 23n
.rt  
See \fBpasswd\fR(1) for a description of the contents.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Interface StabilityCommitted
_
MT LevelMT-Safe with exceptions
.TE

.SH SEE ALSO
.sp
.LP
\fBpasswd\fR(1), \fBpam\fR(3PAM), \fBmkpwdict\fR(1M), \fBpam_chauthtok\fR(3PAM), \fBsyslog\fR(3C), \fBlibpam\fR(3LIB), \fBpam.conf\fR(4), \fBpasswd\fR(4), \fBshadow\fR(4), \fBattributes\fR(5), \fBpam_authtok_get\fR(5), \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5), \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), \fBpam_unix_session\fR(5)
.SH NOTES
.sp
.LP
The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own \fBPAM\fR handle.