GOODPW(ADM) UNIX System V
Name
goodpw - check a password for non-obviousness
Syntax
goodpw [ -absm ] [ -d file ] [ -r reason ] [ -MR expr ]
Description
goodpw reads from the standard input a proposed password and
applies a variety of heuristic checks intended to spot poor
password choices. These checks can include checking against
user names, English words, and too short or too simple
passwords. Which checks are applied depends on the settings
in /etc/default/goodpw, the file specified by the -d option,
and the expressions specified by the -M and -R options.
The first line read from the standard input is taken to be
the proposed password. A list of ``canonical forms'' is
then generated; the canonical form is the password sans any
non-letters and with all letters converted to upper-case.
The list always includes the canonical form of the password
and may, depending on the settings in /etc/default/goodpw,
also contain left or right ``rotations'' of the canonical
form. A rotation to the left is a shifting of the second
through last character one position to the left, with the
first character becoming the last; a rotation to the right
is similar but in the opposite direction. The canonical
list so generated is what most of the checks are applied
against; if any (possibly rotated) canonical form in the
list fails a check, the password is considered inadvisable
and is rejected.
Any subsequent lines read from the standard input are taken
to be a ``stop-list'' of disallowed passwords. Each line in
the stop-list is reduced to its canonical form and checked
against the canonical list; if there is a match, the
password is rejected.
When a password is rejected, the reason is written to the
standard error output and goodpw exits with a non-zero
status. If a password passes all checks and hence is not
rejected, no message is issued and goodpw exits with a zero
status.
The -s and -m options modify this behavior: If -s is
specified, no reason is issued. If -m is specified, then:
1. the stop-list terminates with an empty line,
2. one line is written to the standard output indicating
the acceptance or rejection of the password, and
3. the entire procedure is repeated using a new password
and stop-list read from the standard input.
This allows one goodpw process to check multiple passwords.
The line written by goodpw to the standard output if -m is
specified is one of:
g The password passed all checks and seems to be
acceptable.
rreason
The password was rejected for the indicated reason.
eerror
The indicated system error occurred and it cannot be
determined whether or not the password is acceptable.
If -s was specified, then no reason or error is written
after a ``r'' or ``e,'' respectively.
The other options are:
-a Use American spelling (default).
-b Use British spelling.
-rreason
Specify the message to be issued in case the proposed
password matches one of those in the stop-list. The
default reason is ``same as previous password.''
-dfile
Read the named file (which should be in the same format
as /etc/default/goodpw) and apply the various checks
specified.
-Mexpr
The password must match expr, a boolean combination of
regular expressions. If the first character of expr is
a slash (``/'') and a regular file by that name exists,
the contents of that file are used as the expression.
(If the file cannot be read, an error results.)
-Rexpr
The password must not match expr.
The boolean combination of regular expressions (expr) is
built from the following operations:
expr1 & expr2
True if, and only if, both expressions expr1 and expr2
are true. If expr1 is not true, expr2 is not
evaluated.
expr1 | expr2
True if either (or both) of expr1 or expr2 is true. If
expr1 is true, expr2 is not evaluated.
expr1 ^ expr2
True if exactly one of expr1 and expr2 are true. Both
expr1 and expr2 are always evaluated.
! expr
True if expr is not true; expr is always evaluated.
( expr )
True if, and only if, expr is true; expr is always
evaluated.
/re/ True if, and only if, regular expression re matches the
password. Any regular expression defined by regcmp(S)
is understood; substrings defined by (...)$n are placed
in ``accumulator'' n.
$n ~ /re/
True if, and only if, accumulator n (0-9, or *) matches
regular expression re; accumulator star (``*'') is the
entire password.
$n !~ /re/
True if, and only if, accumulator n is not matched by
regular expression re.
The possible goodpw checks, their control settings in
/etc/default/goodpw, and default values are:
MATCH=/usr/lib/goodpw/match
An expression (expr), or the name of file containing an
expression, that the password must match. This
expression also may be specified by the -M option.
REJECT=/usr/lib/goodpw/reject
An expression, or the name of a file containing an
expression, that the password must not match. This
expression may also be specified by the -R option.
LEFT_ROTATIONS=UNIQUE
How left rotations of the canonical form of the
password should be treated: NO - ignored; YES -
considered in other checks (i.e., added to the
canonical list) and may contain duplications; UNIQUE -
considered in other checks but must not contain any
duplicates.
RIGHT_ROTATIONS=UNIQUE
Similarly for right rotations.
BOTH_ROTATIONS=UNIQUE
Similarly for rotations in both directions taken
together.
AVOID_USERS=YES
Should the canonical list be checked against user login
names and real names, obtained from /etc/passwd?
AVOID_GROUPS=YES
Should the canonical list be checked against group
names and group member lists, obtained from /etc/group?
AVOID_MACHINES=YES
Should the canonical list be checked against machine
names obtained from a number of files, including
/etc/systemid and /usr/lib/mail/top?
AVOID_ALIASES=YES
Should the canonical list be checked against mail
aliases obtained from /usr/lib/mail/aliases?
AVOID_WORDS=YES
Should the canonical list be checked for properly
spelled English words?
BRITISH=NO
Should spell use American or British spelling? Which
spelling to use may be specified by the -a and -b
options.
SITECHECKS=NO
The name of a program to run to provide additional
checking. The program is run with no arguments.
Passed to the program on its standard input, on
separate lines, is first the actual proposed password
and then the canonical list. If the program exits with
a non-zero status, the password is rejected.
SITEREASON=Rejected by site-specific check(s)
The reason to give when the SITECHECKS program rejects
the password.
The values for the default settings can be adjusted to
reflect the local system's security concerns. If
/etc/default/goodpw does not exist or cannot be read, the
above default values are used (except for MATCH and REJECT).
The default MATCH expression matches any password which:
1. Contains lower-case letters, upper-case letters, and
digits, and whose length is four or more characters;
or,
2. Contains no lower-case letters, no upper-case letters,
and no digits, and whose length is four or more
characters; or,
3. Contains both lower-case letters and digits, or both
upper-case letters and digits, or both lower- and
upper-case letters, and whose length is five or more
characters; or,
4. Contains nothing but lower-case letters, and whose
length is six or more characters; or,
5. Contains nothing but upper-case latters, and whose
length is six or more characters.
The default REJECT expression is:
/[Ss][Cc][Oo]/ | /[Xx][Ee][Nn][Ii][Xx]/
which matches any password that contains either ``SCO'' or
``XENIX'' regardless of case.
Files
/usr/lib/goodpw/match
Expression that all passwords must match; by default,
it contains the above-described MATCH expression.
/usr/lib/goodpw/reject
Expression that no passwords should match; by default,
it contains the above-described REJECT expression.
See Also
aliases(M), default(M), group(M), passwd(C), passwd(M),
regex(S), spell(CT), systemid(M)
Notes
Not all valid English words are known to spell, and hence
some English words are considered acceptable as passwords.
The maximum length of a password is 100 characters, none of
which may be an ASCII NUL or LF (newline).
Empty passwords are always rejected.
Value Added
goodpw is an extension of AT&T System V provided by the
Santa Cruz Operation.
(printed 8/23/89) GOODPW(ADM)