Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ goodpw(ADM) — OpenDesktop 1.1.0

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

aliases(M)

default(M)

group(M)

passwd(C)

passwd(M)

regex(S)

spell(CT)

systemid(M)


     GOODPW(ADM)                          UNIX System V



     Name
          goodpw - check a password for non-obviousness


     Syntax
          goodpw [ -absm ] [ -d file ] [ -r reason ] [ -MR expr ]


     Description
          goodpw reads from the standard input a proposed password and
          applies  a variety of heuristic checks intended to spot poor
          password choices.  These checks can include checking against
          user  names,  English  words,  and  too  short or too simple
          passwords.  Which checks are applied depends on the settings
          in /etc/default/goodpw, the file specified by the -d option,
          and the expressions specified by the -M and -R options.

          The first line read from the standard input is taken  to  be
          the  proposed  password.   A  list of ``canonical forms'' is
          then generated; the canonical form is the password sans  any
          non-letters  and  with  all letters converted to upper-case.
          The list always includes the canonical form of the  password
          and  may,  depending on the settings in /etc/default/goodpw,
          also contain left or right ``rotations''  of  the  canonical
          form.   A  rotation  to the left is a shifting of the second
          through last character one position to the  left,  with  the
          first  character  becoming the last; a rotation to the right
          is similar but in the  opposite  direction.   The  canonical
          list  so  generated  is  what most of the checks are applied
          against; if any (possibly rotated)  canonical  form  in  the
          list  fails  a check, the password is considered inadvisable
          and is rejected.

          Any subsequent lines read from the standard input are  taken
          to be a ``stop-list'' of disallowed passwords.  Each line in
          the stop-list is reduced to its canonical form  and  checked
          against  the  canonical  list;  if  there  is  a  match, the
          password is rejected.

          When a password is rejected, the reason is  written  to  the
          standard  error  output  and  goodpw  exits  with a non-zero
          status.  If a password passes all checks and  hence  is  not
          rejected,  no message is issued and goodpw exits with a zero
          status.

          The -s and -m  options  modify  this  behavior:   If  -s  is
          specified, no reason is issued.  If -m is specified, then:

          1.   the stop-list terminates with an empty line,

          2.   one line is written to the standard  output  indicating
               the acceptance or rejection of the password, and

          3.   the entire procedure is repeated using a  new  password
               and stop-list read from the standard input.

          This allows one goodpw process to check multiple  passwords.
          The  line  written by goodpw to the standard output if -m is
          specified is one of:

          g    The  password  passed  all  checks  and  seems  to   be
               acceptable.

          rreason
               The password was rejected for the indicated reason.

          eerror
               The indicated system error occurred and  it  cannot  be
               determined whether or not the password is acceptable.

          If -s was specified, then no  reason  or  error  is  written
          after a ``r'' or ``e,'' respectively.

          The other options are:

          -a   Use American spelling (default).

          -b   Use British spelling.

          -rreason
               Specify the message to be issued in case  the  proposed
               password  matches  one  of those in the stop-list.  The
               default reason is ``same as previous password.''

          -dfile
               Read the named file (which should be in the same format
               as  /etc/default/goodpw)  and  apply the various checks
               specified.

          -Mexpr
               The password must match expr, a boolean combination  of
               regular expressions.  If the first character of expr is
               a slash (``/'') and a regular file by that name exists,
               the  contents  of that file are used as the expression.
               (If the file cannot be read, an error results.)

          -Rexpr
               The password must not match expr.

          The boolean combination of  regular  expressions  (expr)  is
          built from the following operations:

          expr1 & expr2
               True if, and only if, both expressions expr1 and  expr2
               are   true.   If  expr1  is  not  true,  expr2  is  not
               evaluated.

          expr1  |  expr2
               True if either (or both) of expr1 or expr2 is true.  If
               expr1 is true, expr2 is not evaluated.

          expr1  ^  expr2
               True if exactly one of expr1 and expr2 are true.   Both
               expr1 and expr2 are always evaluated.

          ! expr
               True if expr is not true; expr is always evaluated.

          ( expr )
               True if, and only if, expr  is  true;  expr  is  always
               evaluated.

          /re/ True if, and only if, regular expression re matches the
               password.   Any regular expression defined by regcmp(S)
               is understood; substrings defined by (...)$n are placed
               in ``accumulator'' n.

          $n ~ /re/
               True if, and only if, accumulator n (0-9, or *) matches
               regular  expression re; accumulator star (``*'') is the
               entire password.

          $n !~ /re/
               True if, and only if, accumulator n is not  matched  by
               regular expression re.

          The  possible  goodpw  checks,  their  control  settings  in
          /etc/default/goodpw, and default values are:

          MATCH=/usr/lib/goodpw/match
               An expression (expr), or the name of file containing an
               expression,   that   the  password  must  match.   This
               expression also may be specified by the -M option.

          REJECT=/usr/lib/goodpw/reject
               An expression, or the name  of  a  file  containing  an
               expression,  that  the  password  must not match.  This
               expression may also be specified by the -R option.

          LEFT_ROTATIONS=UNIQUE
               How  left  rotations  of  the  canonical  form  of  the
               password  should  be  treated:   NO  -  ignored;  YES -
               considered  in  other  checks  (i.e.,  added   to   the
               canonical  list) and may contain duplications; UNIQUE -
               considered in other checks but  must  not  contain  any
               duplicates.

          RIGHT_ROTATIONS=UNIQUE
               Similarly for right rotations.

          BOTH_ROTATIONS=UNIQUE
               Similarly  for  rotations  in  both  directions   taken
               together.

          AVOID_USERS=YES
               Should the canonical list be checked against user login
               names and real names, obtained from /etc/passwd?

          AVOID_GROUPS=YES
               Should the canonical  list  be  checked  against  group
               names and group member lists, obtained from /etc/group?

          AVOID_MACHINES=YES
               Should the canonical list be  checked  against  machine
               names  obtained  from  a  number  of  files,  including
               /etc/systemid and /usr/lib/mail/top?

          AVOID_ALIASES=YES
               Should the  canonical  list  be  checked  against  mail
               aliases obtained from /usr/lib/mail/aliases?

          AVOID_WORDS=YES
               Should the  canonical  list  be  checked  for  properly
               spelled English words?

          BRITISH=NO
               Should spell use American or British  spelling?   Which
               spelling  to  use  may  be  specified  by the -a and -b
               options.

          SITECHECKS=NO
               The name of a program  to  run  to  provide  additional
               checking.   The  program  is  run  with  no  arguments.
               Passed  to  the  program  on  its  standard  input,  on
               separate  lines,  is first the actual proposed password
               and then the canonical list.  If the program exits with
               a non-zero status, the password is rejected.

          SITEREASON=Rejected by site-specific check(s)
               The reason to give when the SITECHECKS program  rejects
               the password.

          The values for the  default  settings  can  be  adjusted  to
          reflect   the   local   system's   security   concerns.   If
          /etc/default/goodpw does not exist or cannot  be  read,  the
          above default values are used (except for MATCH and REJECT).
          The default MATCH expression matches any password which:

          1.   Contains lower-case letters,  upper-case  letters,  and
               digits,  and  whose  length is four or more characters;
               or,

          2.   Contains no lower-case letters, no upper-case  letters,
               and  no  digits,  and  whose  length  is  four  or more
               characters; or,

          3.   Contains both lower-case letters and  digits,  or  both
               upper-case  letters  and  digits,  or  both  lower- and
               upper-case letters, and whose length is  five  or  more
               characters; or,

          4.   Contains nothing  but  lower-case  letters,  and  whose
               length is six or more characters; or,

          5.   Contains nothing  but  upper-case  latters,  and  whose
               length is six or more characters.

          The default REJECT expression is:
               /[Ss][Cc][Oo]/ | /[Xx][Ee][Nn][Ii][Xx]/
          which matches any password that contains either  ``SCO''  or
          ``XENIX'' regardless of case.


     Files
          /usr/lib/goodpw/match
               Expression that all passwords must match;  by  default,
               it contains the above-described MATCH expression.

          /usr/lib/goodpw/reject
               Expression that no passwords should match; by  default,
               it contains the above-described REJECT expression.


     See Also
          aliases(M),  default(M),  group(M),  passwd(C),   passwd(M),
          regex(S), spell(CT), systemid(M)


     Notes
          Not all valid English words are known to  spell,  and  hence
          some English words are considered acceptable as passwords.

          The maximum length of a password is 100 characters, none  of
          which may be an ASCII NUL or LF (newline).

          Empty passwords are always rejected.


     Value Added
          goodpw is an extension of AT&T  System  V  provided  by  the
          Santa Cruz Operation.


     (printed 2/15/90)                                GOODPW(ADM)










































































































































































































































































































































Typewritten Software • bear@typewritten.org • Edmonds, WA 98026