Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Linux.

Most modern Linux distributions use Linux-PAM with a password changing module which understands "use_authtok". Thus, you may choose which module prompts for the old password, things should work either way.

FreeBSD 5+, DragonFly BSD 2.2+.

FreeBSD 5 and newer, as well as DragonFly BSD 2.2 and newer, include pam_passwdqc in the base system. You should be able to use either the included or the distributed separately version of pam_passwdqc with these systems. There's a commented out usage example in the default /etc/pam.d/passwd.

FreeBSD 4 and older used a cut down version of Linux-PAM (not OpenPAM) and didn't use PAM for password changing.

OpenBSD.

OpenBSD does not use PAM, however it is able to use passwdqc's pwqcheck program. Insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\" (without the quotes, but with the trailing backslash) into the "default" section in /etc/login.conf.

Solaris, HP-UX 11.

On Solaris 2.6, 7, and 8 (without patch 108993-18/108994-18 or later) and on HP-UX 11, pam_passwdqc has to ask for the old password during the update phase. Use "ask_oldauthtok=update check_oldauthtok" with pam_passwdqc and "use_first_pass" with pam_unix.

On Solaris 8 (with patch 108993-18/108994-18 or later), 9, and 10, use pam_passwdqc instead of both pam_authtok_get and pam_authtok_check, and set "retry=1" with pam_passwdqc as the passwd command has its own handling for that.

You will likely also need to set "max=8" in order to actually enforce not-so-weak passwords with the obsolete traditional DES-based hashes that most Solaris systems use and the flawed approach HP-UX uses to process characters past 8. Of course this way you only get about one third of the functionality of pam_passwdqc. As a better alternative, on modern Solaris systems you may edit the "CRYPT_DEFAULT=__unix__" line in /etc/security/policy.conf to read "CRYPT_DEFAULT=2a" to enable the OpenBSD-style bcrypt (Blowfish-based) password hashing.

There's a wiki page with detailed instructions specific to Solaris:

https://openwall.info/wiki/passwdqc/solaris