goodpw(ADM)
goodpw --
check a password for non-obviousness
Syntax
goodpw [ -absm ] [ -d file ]
[ -r reason ] [ -MR expr ]
Description
goodpw
reads a proposed password from the standard input and applies
a variety of heuristic checks intended to spot poor password choices.
These checks can include checking against user names,
English words, and too short or too simple passwords.
The checks applied depend on the settings in /etc/default/goodpw,
the file specified by the -d option,
and the expressions specified by the
-M and -R options.
The first line read from the standard input is taken to be the
proposed password.
A list of ``canonical forms'' is then generated;
the canonical form is the password without any non-letters
and with all letters converted to upper-case.
The list always includes the canonical form of the password
and may, depending on the settings in
/etc/default/goodpw,
also contain left or right ``rotations'' of the canonical form.
A rotation to the left is a shifting of the second through last character
one position to the left,
with the first character becoming the last;
a rotation to the right is similar but in the opposite direction.
The canonical list so generated is what most of the checks are applied against;
if any (possibly rotated) canonical form in the list fails a check,
the password is considered inadvisable and is rejected.
Any subsequent lines read from the standard input are taken to be
a ``stop list'' of disallowed passwords.
Each line in the stop list is reduced to its canonical form and
checked against the canonical list;
if there is a match, the password is rejected.
When a password is rejected,
the reason is written to the standard error output and
goodpw exits with a non-zero status.
If a password passes all checks and hence is not rejected,
no message is issued and goodpw exits with a zero status.
The -s and -m options modify this behavior:
If -s is specified, no reason is issued.
If -m is specified, then:
-
the stop list terminates with an empty line,
-
one line is written to the standard output indicating the
acceptance or rejection of the password,
and
-
the entire procedure is repeated using a new password
and stop list read from the standard input.
This allows one goodpw process to check multiple passwords.
The line written by goodpw to the standard output if
-m is specified is one of:
g-
The password passed all checks and seems to be acceptable.
rreason-
The password was rejected for the indicated reason.
eerror-
The indicated system error occurred and
it cannot be determined whether or not the password is acceptable.
If -s was specified, then no reason or error
is written after an r or e, respectively.
The other options are:
-a-
Use American spelling (default).
-b-
Use British spelling.
-rreason-
Specify the message to be issued in case the proposed password
matches one of those in the stop-list.
The default reason is ``same as previous password''.
-dfile-
Read the named file
(which should be in the same format as /etc/default/goodpw)
and apply the various checks specified.
-Mexpr-
The password must match expr,
a boolean combination of regular expressions.
If the first character of expr is a slash (/)
and a regular file by that name exists,
the contents of that file are used as the expression.
(If the file cannot be read, an error results.)
-Rexpr-
The password must not match expr.
The boolean combination of regular expressions (expr)
is built from the following operations:
expr1 & expr2 -
True if, and only if, both expressions expr1 and
expr2 are true.
If expr1 is not true,
expr2 is not evaluated.
expr1 | expr2 -
True if either (or both) of expr1 or expr2 is true.
If expr1 is true,
expr2 is not evaluated.
expr1 ^ expr2 -
True if exactly one of expr1 and expr2 are true.
Both expr1 and expr2 are always evaluated.
! expr-
True if expr is not true; expr is always evaluated.
( expr )-
True if, and only if, expr is true; expr
is always evaluated.
/re/-
True if, and only if, regular expression re matches the password.
Any regular expression defined by
regcmp(S-osr5)
is understood;
substrings defined by
(...)$n
are placed in ``accumulator'' n.
$n ~ /re/-
True if, and only if, accumulator n
(09, or ) matches regular expression
re;
accumulator star () is the entire password.
$n !~ /re/-
True if, and only if, accumulator n
is not matched by regular expression re.
The possible goodpw checks, their control settings in
/etc/default/goodpw, and default values are:
AVOID_ALIASES=YES-
Should the canonical list be checked against mail aliases obtained from
/usr/lib/mail/aliases?
AVOID_GROUPS=YES-
Should the canonical list be checked against group names
and group member lists, obtained from /etc/group?
AVOID_MACHINES=YES-
Should the canonical list be checked against machine names obtained
from a number of files, including
/etc/systemid and /usr/lib/mail/top?
AVOID_USERS=YES-
Should the canonical list be checked against user login names
and real names, obtained from /etc/passwd?
AVOID_WORDS=YES-
Should the canonical list be checked for properly spelled English words?
BRITISH=NO-
Should spell use American or British spelling?
Which spelling to use may be specified by the
-a and -b options.
LEFT_ROTATIONS=UNIQUE-
How left rotations of the canonical form of the password should be treated:
NO -- ignored; YES -- considered in other checks (that
is, added to the canonical list) and may contain duplications;
UNIQUE
-- considered in other checks but must not contain any duplications.
RIGHT_ROTATIONS=UNIQUE-
Similarly for right rotations.
BOTH_ROTATIONS=UNIQUE-
Similarly for rotations in both directions taken together.
MATCH=/usr/lib/goodpw/match-
An expression (expr),
or the name of file containing an expression,
that the password must match.
This expression also may be specified by the -M option.
REJECT=/usr/lib/goodpw/reject-
An expression, or the name of a file containing an expression,
that the password must not match.
This expression may also be specified by the -R option.
SITECHECKS=NO-
The name of a program to run to provide additional checking.
The program is run with no arguments.
Passed to the program on its standard input,
on separate lines,
is first the actual proposed password and then the canonical list.
If the program exits with a non-zero status,
the password is rejected.
SITEREASON=Rejected by site-specific check(s)-
The reason to give when the SITECHECKS program rejects the password.
The values for the default settings can be adjusted to reflect the
local system's security concerns.
If /etc/default/goodpw does not exist or cannot be read,
the above default values are used (except for
MATCH and REJECT).
The default MATCH expression, defined in
/usr/lib/goodpw/match, matches any password that
satisfies one of the following criteria:
-
contains lower-case letters, upper-case letters, and digits,
and whose length is four or more characters
-
contains no lower-case letters, no upper-case letters, and no digits,
and whose length is four or more characters
-
contains both lower-case letters and digits,
or both upper-case letters and digits,
or both lower- and upper-case letters,
and whose length is five or more characters
-
contains nothing but lower-case letters,
and whose length is six or more characters
-
contains nothing but upper-case letters,
and whose length is six or more characters
The default REJECT expression, defined in
/usr/lib/goodpw/reject, is:
/[Ss][Cc][Oo]/ | /[Xx][Ee][Nn][Ii][Xx]/ | /[Uu][Nn][Ii][Xx]/
This matches any password that contains one of the strings:
``SCO'', ``XENIX'', or ``UNIX'',
regardless of case.
Limitations
Not all valid English words are known to spell,
and hence some English words are considered acceptable as passwords.
The maximum length of a password is 100 characters,
none of which may be an ASCII NUL or
LF (newline).
Empty passwords are always rejected.
Files
/usr/lib/goodpw/match-
default MATCH expression that all passwords must match
/usr/lib/goodpw/reject-
default REJECT expression that no passwords should match
See also
default(F),
group(F),
passwd(C),
passwd(F),
regex(S-osr5),
spell(C),
systemid(F)
Standards conformance
goodpw is not part of any currently supported standard; it
is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005