integ/extended/pam/files/pam.d/common-password
Dean Troyer 3cd12006bb StarlingX open source release updates
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
2018-05-31 07:36:35 -07:00

39 lines
1.8 KiB
Plaintext
Executable File

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# here are the per-package modules (the "Primary" block)
################## Titanium Cloud Password Rules #######################
## Enforce a password containing atleast 1 lower case, 1 upper case, #
## 1 digit and 1 special character. Such a password will have a #
## minimum length of 7 characters. A user may not re-use the last most #
## recent password and every password must differ from its previous #
## one by atleast 3 characters #
## - Added enforce_for_root for pam_pwquality.so #
########################################################################
password required pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
password required pam_pwhistory.so use_authtok enforce_for_root remember=2 retry=3 debug
password sufficient pam_unix.so sha512 use_authtok debug
password [success=done authtok_err=die perm_denied=die default=ignore] pam_ldap.so use_authtok debug
# If we got this far then its clearly a DENY
password requisite pam_deny.so