debug
This option makes the module write information to syslog(3) indicating the behavior of the module
(this option does not write password information to the log file).
authtok_type=XXX
The default action is for the module to use the following prompts when requesting passwords: "New
UNIX password: " and "Retype UNIX password: ". The example word UNIX can be replaced with this
option, by default it is empty.
retry=N
Prompt user at most N times before returning with error. The default is 1.
difok=N
This argument will change the default of 1 for the number of changes in the new password from the old
password.
The special value of 0 disables all checks of similarity of the new password with the old password
except the new password being exactly the same as the old one.
minlen=N
The minimum acceptable size for the new password (plus one if credits are not disabled which is the
default). In addition to the number of characters in the new password, credit (of +1 in length) is
given for each different kind of character (other, upper, lower and digit). The default for this
parameter is 8. Note that there is a pair of length limits also in Cracklib, which is used for
dictionary checking, a "way too short" limit of 4 which is hard coded in and a build time defined
limit (6) that will be checked without reference to minlen.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or
N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit
is 0 which means there is no bonus for digits in password.
(N < 0) This is the minimum number of digits that must be met for a new password.
ucredit=N
(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have
less than or N upper case letters, each upper case letter will count +1 towards meeting the current
minlen value. The default for ucredit is 0 which means there is no bonus for upper case letters in
password.
(N < 0) This is the minimum number of upper case letters that must be met for a new password.
lcredit=N
(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have
less than or N lower case letters, each lower case letter will count +1 towards meeting the current
minlen value. The default for lcredit is 0 which means there is no bonus for lower case letters in
password.
(N < 0) This is the minimum number of lower case letters that must be met for a new password.
ocredit=N
(N >= 0) This is the maximum credit for having other characters in the new password. If you have
less than or N other characters, each other character will count +1 towards meeting the current
minlen value. The default for ocredit is 0 which means there is no bonus for other characters in
password.
(N < 0) This is the minimum number of other characters that must be met for a new password.
minclass=N
The minimum number of required classes of characters for the new password. The four classes are
digits, upper and lower letters and other characters. The difference to the credit check is that a
specific class if of characters is not required. Instead N out of four of the classes are required.
By default the check is disabled.
maxrepeat=N
Reject passwords which contain more than N same consecutive characters. The default is 0 which means
that this check is disabled.
maxsequence=N
Reject passwords which contain monotonic character sequences longer than N. The default is 0 which
means that this check is disabled. Examples of such sequence are '12345' or 'fedcb'. Note that most
such passwords will not pass the simplicity check unless the sequence is only a minor part of the
password.
maxclassrepeat=N
Reject passwords which contain more than N consecutive characters of the same class. The default is 0
which means that this check is disabled.
gecoscheck=N
If nonzero, check whether the individual words longer than 3 characters from the passwd(5) GECOS
field of the user are contained in the new password. The default is 0 which means that this check is
disabled.
dictcheck=N
If nonzero, check whether the password (with possible modifications) matches a word in a dictionary.
Currently the dictionary check is performed using the cracklib library. The default is 1 which means
that this check is enabled.
usercheck=N
If nonzero, check whether the password (with possible modifications) contains the user name in some
form. The default is 1 which means that this check is enabled. It is not performed for user names
shorter than 3 characters.
usersubstr=N
If greater than 3 (due to the minimum length in usercheck), check whether the password contains a
substring of the user name of at least N length in some form. The default is 0, which means this
check is disabled.
enforcing=N
If nonzero, reject the password if it fails the checks, otherwise only print the warning. The default
is 1 which means that the weak password is rejected (for non-root users).
badwords=<listofwords>
The words more than 3 characters long from this space separated list are individually searched for
and forbidden in the new password. By default the list is empty which means that this check is
disabled.
dictpath=/path/to/dict
This options allows for specification of non-default path to the cracklib dictionaries.
enforce_for_root
The module will return error on failed check even if the user changing the password is root. This
option is off by default which means that just the message about the failed check is printed but root
can change the password anyway. Note that root is not asked for an old password so the checks that
compare the old and new password are not performed.
local_users_only
The module will not test the password quality for users that are not present in the /etc/passwd file.
The module still asks for the password so the following modules in the stack can use the use_authtok
option. This option is off by default.
use_authtok
This argument is used to force the module to not prompt the user for a new password but use the one
provided by the previously stacked password module.