NAME¶
pwqcheck
—
Check passphrase quality
SYNOPSIS¶
DESCRIPTION¶
The
pwqcheck
program checks passphrase
quality using the libpasswdqc library. By default, it expects to read 3 lines
from standard input:
- first line is a new password,
- second line is an old password, and
- third line is either an existing account name or a
passwd(5) entry.
There are a number of supported options, which can be used to control the
pwqcheck
behavior.
pwqcheck
prints
OK on success. Scripts invoking
pwqcheck
are suggested to check for both a
zero exit status and the
OK line.
OPTIONS¶
min
=N0,N1,N2,N3,N4
- (default: min=disabled,24,11,8,7) The minimum allowed password lengths
for different kinds of passwords/passphrases. The keyword
disabled
can be used to disallow
passwords of a given kind regardless of their length. Each subsequent
number is required to be no larger than the preceding one.
N0 is used for passwords consisting of
characters from one character class only. The character classes are:
digits, lower-case letters, upper-case letters, and other characters.
There is also a special class for non-ASCII
characters, which could not be classified, but are assumed to be
non-digits.
N1 is used for passwords consisting of
characters from two character classes that do not meet the requirements
for a passphrase.
N2 is used for passphrases. Note that
besides meeting this length requirement, a passphrase must also consist of
a sufficient number of words (see the
passphrase
option below).
N3 and N4
are used for passwords consisting of characters from three and four
character classes, respectively.
When calculating the number of character classes, upper-case letters used as
the first character and digits used as the last character of a password
are not counted.
In addition to being sufficiently long, passwords are required to contain
enough different characters for the character classes and the minimum
length they have been checked against.
max
=N
- (default:
max
=40) The maximum allowed
password length. This can be used to prevent users from setting passwords
that may be too long for some system services. The value 8 is treated
specially: if max
is set to 8,
passwords longer than 8 characters will not be rejected, but will be
truncated to 8 characters for the strength checks and the user will be
warned. This is to be used with the traditional DES-based password hashes,
which truncate the password at 8 characters.
It is important that you do set max
=8 if
you are using the traditional hashes, or some weak passwords will pass the
checks.
passphrase
=N
- (default:
passphrase
=3) The number of
words required for a passphrase.
match
=N
- (default:
match
=4) The length of common
substring required to conclude that a password is at least partially based
on information found in a character string, or 0 to disable the substring
search. Note that the password will not be rejected once a weak substring
is found; it will instead be subjected to the usual strength requirements
with the weak substring partially discounted.
The substring search is case-insensitive and is able to detect and remove a
common substring spelled backwards.
config
=FILE
- Load config FILE in the
passwdqc.conf
format. This file may
define any options described in
passwdqc.conf(5), but only the
min
,
max
,
passphrase
,
match
, and
config
options are honored by
pwqcheck
.
-1
- Read just 1 line (new passphrase). This is needed to use
pwqcheck
as the passwordcheck program
on OpenBSD - e.g., with ":passwordcheck=/usr/bin/pwqcheck -1:\"
in the "default" section in
/etc/login.conf
.
-2
- Read just 2 lines (new and old passphrases).
--multi
- Check multiple passphrases (until EOF). This option may be used on its own
or along with the
-1
or
-2
options.
pwqcheck
will read 1, 2, or 3 lines and
will output one line per passphrase to check. The lines will start with
either OK or a message explaining why the
passphrase did not pass the checks, followed by a colon and a space, and
finally followed by the passphrase. The explanatory message is guaranteed
to not include a colon. With this option, the exit status of
pwqcheck
depends solely on whether
there were any errors preventing the strength of passphrases from being
fully checked or not. A primary use for this option is to test different
policies and/or different versions of passwdqc on large passphrase
lists.
--version
- Output
pwqcheck
program version and
exit.
-h
,
--help
- Output
pwqcheck
help text and
exit.
EXIT STATUS¶
pwqcheck
exits with non-zero status when it
encounters invalid config file, invalid option, invalid parameter value,
invalid data in standard input, and in any case when it fails to check
passphrase strength. Without the
--multi
option,
pwqcheck
also exits with non-zero
status when it detects a weak passphrase.
FILES¶
/etc/passwdqc.conf.
SEE ALSO¶
pwqgen(1),
passwd(5),
passwdqc.conf(5),
pam_passwdqc(8).
http://www.openwall.com/passwdqc/
AUTHORS¶
The pam_passwdqc module was written for Openwall GNU/*/Linux by Solar Designer.
The
pwqcheck
program was originally written
for ALT GNU/*/Linux by Dmitry V. Levin, indirectly reusing code from
pam_passwdqc (via libpasswdqc). This manual page (derived from the
pam_passwdqc documentation) was written for Openwall GNU/*/Linux by Dmitry V.
Levin.