diff options
Diffstat (limited to 'doc/man/pwquality.conf.5.pod')
-rw-r--r-- | doc/man/pwquality.conf.5.pod | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/doc/man/pwquality.conf.5.pod b/doc/man/pwquality.conf.5.pod new file mode 100644 index 0000000..94e61b6 --- /dev/null +++ b/doc/man/pwquality.conf.5.pod @@ -0,0 +1,123 @@ +=pod + +=head1 NAME + +pwquality.conf - configuration for the libpwquality library + +=head1 SYNOPSIS + +F</etc/security/pwquality.conf> + +F</etc/security/pwquality.conf.d/*.conf> + +=head1 DESCRIPTION + +B<pwquality.conf> provides a way to configure the default password +quality requirements for the system passwords. This file is read by the +libpwquality library and utilities that use this library for checking +and generating passwords. + +The file has a very simple I<name = value> format with possible comments +starting with C<#> character. The whitespace at the beginning of line, end +of line, and around the C<=> sign is ignored. + +The libpwquality library also first reads all F<*.conf> files from the +F</etc/security/pwquality.conf.d> directory in ASCII sorted order. The +values of the same settings are overriden in the order the files are parsed. + +=head1 OPTIONS + +The possible options in the file are: + +=over 4 + +=item B<difok> + +Number of characters in the new password that must not be present in the +old password. (default 1) + +=item B<minlen> + +Minimum acceptable size for the new password (plus one if credits are not +disabled which is the default). (See L<pam_pwquality(8)>.) +Cannot be set to lower value than 6. (default 8) + +=item B<dcredit> + +The maximum credit for having digits in the new password. If less than 0 +it is the minimum number of digits in the new password. (default 0) + +=item B<ucredit> + +The maximum credit for having uppercase characters in the new password. +If less than 0 it is the minimum number of uppercase characters in the new +password. (default 0) + +=item B<lcredit> + +The maximum credit for having lowercase characters in the new password. +If less than 0 it is the minimum number of lowercase characters in the new +password. (default 0) + +=item B<ocredit> + +The maximum credit for having other characters in the new password. +If less than 0 it is the minimum number of other characters in the new +password. (default 0) + +=item B<minclass> + +The minimum number of required classes of characters for the new +password (digits, uppercase, lowercase, others). (default 0) + +=item B<maxrepeat> + +The maximum number of allowed same consecutive characters in the new password. +The check is disabled if the value is 0. (default 0) + +=item B<maxsequence> + +The maximum length of monotonic character sequences in the new password. +Examples of such sequence are '12345' or 'fedcb'. Note +that most such passwords will not pass the simplicity check unless +the sequence is only a minor part of the password. +The check is disabled if the value is 0. (default 0) + +=item B<maxclassrepeat> + +The maximum number of allowed consecutive characters of the same class in the +new password. +The check is disabled if the value is 0. (default 0) + +=item B<gecoscheck> + +If nonzero, check whether the words longer than 3 characters from the I<GECOS> +field of the user's L<passwd(5)> entry are contained in the new password. +The check is disabled if the value is 0. (default 0) + +=item B<dictcheck> + +If nonzero, check whether the password (with possible modifications) +matches a word in a dictionary. Currently the dictionary check is performed +using the cracklib library. (default 1) + +=item B<badwords> + +Space separated list of words that must not be contained in the password. These +are additional words to the cracklib dictionary check. This setting can be +also used by applications to emulate the gecos check for user accounts that are +not created yet. + +=item B<dictpath> + +Path to the cracklib dictionaries. Default is to use the cracklib default. + +=back + +=head1 SEE ALSO + +L<pwscore(1)>, L<pwmake(1)>, L<pam_pwquality(8)> + +=head1 AUTHORS + +Tomas Mraz <tmraz@redhat.com> |