Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ goodpw(ADM) — OpenDesktop 3.0.0

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

default(F)

group(F)

passwd(C)

passwd(FP)

regex(S)

systemid(F)

spell(C)


 goodpw(ADM)                     19 June 1992                     goodpw(ADM)


 Name

    goodpw - check a password for non-obviousness

 Syntax

    goodpw [ -absm ] [ -d file ] [ -r reason ] [ -MR expr ]

 Description

    goodpw reads a proposed password from the standard input and applies a
    variety of heuristic checks intended to spot poor password choices.
    These checks can include checking against user names, English words, and
    too short or too simple passwords.  The checks applied depend on the set-
    tings in /etc/default/goodpw, the file specified by the -d option, and
    the expressions specified by the -M and -R options.

    The first line read from the standard input is taken to be the proposed
    password.  A list of ``canonical forms'' is then generated; the canonical
    form is the password without any non-letters and with all letters con-
    verted to upper-case.  The list always includes the canonical form of the
    password and may, depending on the settings in /etc/default/goodpw, also
    contain left or right ``rotations'' of the canonical form.  A rotation to
    the left is a shifting of the second through last character one position
    to the left, with the first character becoming the last; a rotation to
    the right is similar but in the opposite direction.  The canonical list
    so generated is what most of the checks are applied against; if any (pos-
    sibly rotated) canonical form in the list fails a check, the password is
    considered inadvisable and is rejected.

    Any subsequent lines read from the standard input are taken to be a
    ``stop list'' of disallowed passwords.  Each line in the stop list is
    reduced to its canonical form and checked against the canonical list; if
    there is a match, the password is rejected.

    When a password is rejected, the reason is written to the standard error
    output and goodpw exits with a non-zero status.  If a password passes all
    checks and hence is not rejected, no message is issued and goodpw exits
    with a zero status.

    The -s and -m options modify this behavior:  If -s is specified, no rea-
    son is issued.  If -m is specified, then:

    1.  the stop list terminates with an empty line,

    2.  one line is written to the standard output indicating the acceptance
        or rejection of the password, and

    3.  the entire procedure is repeated using a new password and stop list
        read from the standard input.

    This allows one goodpw process to check multiple passwords.  The line
    written by goodpw to the standard output if -m is specified is one of:

    g         The password passed all checks and seems to be acceptable.

    rreason   The password was rejected for the indicated reason.

    eerror    The indicated system error occurred and it cannot be determined
              whether or not the password is acceptable.

    If -s was specified, then no reason or error is written after a r or e,
    respectively.

    The other options are:

    -a        Use American spelling (default).

    -b        Use British spelling.

    -rreason  Specify the message to be issued in case the proposed password
              matches one of those in the stop-list.  The default reason is
              ``same as previous password''.

    -dfile    Read the named file (which should be in the same format as
              /etc/default/goodpw) and apply the various checks specified.

    -Mexpr    The password must match expr, a boolean combination of regular
              expressions.  If the first character of expr is a slash (``/'')
              and a regular file by that name exists, the contents of that
              file are used as the expression.  (If the file cannot be read,
              an error results.)

    -Rexpr    The password must not match expr.

    The boolean combination of regular expressions (expr) is built from the
    following operations:

    expr1 & expr2 True if, and only if, both expressions expr1 and expr2 are
                  true.  If expr1 is not true, expr2 is not evaluated.

    expr1 | expr2 True if either (or both) of expr1 or expr2 is true.  If
                  expr1 is true, expr2 is not evaluated.

    expr1 ^ expr2 True if exactly one of expr1 and expr2 are true.  Both
                  expr1 and expr2 are always evaluated.

    ! expr        True if expr is not true; expr is always evaluated.

    ( expr )      True if, and only if, expr is true; expr is always
                  evaluated.

    /re/          True if, and only if, regular expression re matches the
                  password.  Any regular expression defined by regcmp(S) is
                  understood; substrings defined by (...)$n are placed in
                  ``accumulator'' n.

    $n ~ /re/     True if, and only if, accumulator n (0-9, or *) matches
                  regular expression re; accumulator star (*) is the entire
                  password.

    $n !~ /re/    True if, and only if, accumulator n is not matched by regu-
                  lar expression re.

    The possible goodpw checks, their control settings in
    /etc/default/goodpw, and default values are:

    MATCH=/usr/lib/goodpw/match
              An expression (expr), or the name of file containing an expres-
              sion, that the password must match.  This expression also may
              be specified by the -M option.

    REJECT=/usr/lib/goodpw/reject
              An expression, or the name of a file containing an expression,
              that the password must not match.  This expression may also be
              specified by the -R option.

    LEFTROTATIONS=UNIQUE
              How left rotations of the canonical form of the password should
              be treated:  NO - ignored; YES - considered in other checks
              (that is, added to the canonical list) and may contain duplica-
              tions; UNIQUE - considered in other checks but must not contain
              any duplications.

    RIGHTROTATIONS=UNIQUE
              Similarly for right rotations.

    BOTHROTATIONS=UNIQUE
              Similarly for rotations in both directions taken together.

    AVOIDUSERS=YES
              Should the canonical list be checked against user login names
              and real names, obtained from /etc/passwd?

    AVOIDGROUPS=YES
              Should the canonical list be checked against group names and
              group member lists, obtained from /etc/group?

    AVOIDMACHINES=YES
              Should the canonical list be checked against machine names
              obtained from a number of files, including /etc/systemid and
              /usr/lib/mail/top?

    AVOIDALIASES=YES
              Should the canonical list be checked against mail aliases
              obtained from /usr/lib/mail/aliases?

    AVOIDWORDS=YES
              Should the canonical list be checked for properly spelled
              English words?

    BRITISH=NO
              Should spell use American or British spelling?  Which spelling
              to use may be specified by the -a and -b options.

    SITECHECKS=NO
              The name of a program to run to provide additional checking.
              The program is run with no arguments.  Passed to the program on
              its standard input, on separate lines, is first the actual pro-
              posed password and then the canonical list.  If the program
              exits with a non-zero status, the password is rejected.

    SITEREASON=Rejected by site-specific check(s)
              The reason to give when the SITECHECKS program rejects the
              password.  The values for the default settings can be adjusted
              to reflect the local system's security concerns.  If
              /etc/default/goodpw does not exist or cannot be read, the above
              default values are used (except for MATCH and REJECT).  The
              default MATCH expression matches any password which:

    1.        Contains lower-case letters, upper-case letters, and digits,
              and whose length is four or more characters; or,

    2.        Contains no lower-case letters, no upper-case letters, and no
              digits, and whose length is four or more characters; or,

    3.        Contains both lower-case letters and digits, or both upper-case
              letters and digits, or both lower- and upper-case letters, and
              whose length is five or more characters; or,

    4.        Contains nothing but lower-case letters, and whose length is
              six or more characters; or,

    5.        Contains nothing but upper-case letters, and whose length is
              six or more characters.

    The default REJECT expression is:

       /[Ss][Cc][Oo]/ | /[Xx][Ee][Nn][Ii][Xx]/

    which matches any password that contains either ``SCO'' or ``XENIX''
    regardless of case.

 Files

    /usr/lib/goodpw/match     Expression that all passwords must match; by
                              default, it contains the above-described MATCH
                              expression.
    /usr/lib/goodpw/reject    Expression that no passwords should match; by
                              default, it contains the above-described REJECT
                              expression.

 See also

    default(F), group(F), passwd(C), passwd(FP), regex(S), systemid(F),
    spell(C)

 Notes

    Not all valid English words are known to spell, and hence some English
    words are considered acceptable as passwords.

    The maximum length of a password is 100 characters, none of which may be
    an ASCII NUL or LF (newline).

    Empty passwords are always rejected.

 Value added

    goodpw is an extension of AT&T System V provided by The Santa Cruz Opera-
    tion, Inc.


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026