passwd_policy File

Edit online

Purpose

Defines the types and manifest constants required to support the passwdpolicy() function.

Description

The passwdpolicy() interface uses named policies to determine the strength of a new password. This interface is intended for applications which maintain policy information in either the per-user attribute databases (for example /etc/security/user) or which use the new policy files (/etc/security/passwd_policy and /usr/lib/security/passwd_policy) to create password policies which are not associated with a specific user.

System security applications may name policies which are then enforced using the named rules in /etc/security/passwd_policy. Because this file resides in the /etc/security directory, it is only accessible by applications run by root or a member of group security. The /usr/lib/security/passwd_policy file is intended for applications which wish to use these new APIs to enforce their own password strength rules. There is no support for a default stanza, rather each application must name a stanza it wishes to use as the default and then explicitly check against that stanza. In addition to the basic construction rules which are supported by passwdstrength(), this interface supports dictionary checking, per-user password histories, and administrator-defined load module extensions.

The format of the passwd_policy file is similar to the password construction rule attributes as stored in the /etc/security/user file, with the exception that named policies do not include the histsize and histexpire attributes. Each file is a sequence of zero or more stanzas with the named policy being the stanza name. Each stanza contains one or more attributes describing the password rules which must be satisfied for a password to be accepted.

Example

ibm_corp_policy:	
        dictionlist = /usr/share/dict/words,/usr/local/lib/local_words	
        maxage = 26
        minage = 2	
        maxexpired = 2	
        maxrepeats = 2
        mindiff = 6
        minalpha = 4	
        minother = 2	
        minlen = 7	
        pwdchecks = /usr/lib/security/more_checks.so

The maxage, minage, maxexpired, maxrepeats, mindiff, minalpha, minother, and minlen attributes are integers. The dictionlist and pwdchecks attributes are comma-separated lists of filenames. For more information on valid values for attributes, please see /etc/security/user.

Permissions

The permissions on /etc/security/passwd_policy shall be 660, owner root, group security. This restricts access to processes with the privileges needed to perform other security administrative tasks. The permissions on /usr/lib/security/passwd_policy shall be 664, owner root , group security. This allows all processes to read the file, while restricting administrative access to processes with the privileges needed to perform other security administrative tasks. Applications select between policy files using the type parameter to the passwdpolicy() function.

Location

Item Description
/usr/lib/security/passwd_policy Location of policy values for PWP_LOCALPOLICY.
/etc/security/passwd_policy Location of policy values for PWP_SYSTEMPOLICY.