#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# The "md5" option enables MD5 passwords.  Without this option, the
# default is Unix crypt.
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# You can also use the "min" option to enforce the length of the new
# password.
#
# See the pam_unix manpage for other options.

%if %%check_passwd == 'oui'
%set %%pwd_lengths = []
%if %%check_passwd_min_len_one_type == 0
%set %%min_len_one_type='disabled'
%else
%set %%min_len_one_type=%%check_passwd_min_len_one_type
%silent %%pwd_lengths.append(%%check_passwd_min_len_one_type)
%end if
%if %%check_passwd_min_len_two_type == 0
%set %%min_len_two_type='disabled'
%else
%set %%min_len_two_type=%%check_passwd_min_len_two_type
%silent %%pwd_lengths.append(%%check_passwd_min_len_two_type)
%end if
%if %%check_passwd_min_len_three_type == 0
%set %%min_len_three_type='disabled'
%else
%set %%min_len_three_type=%%check_passwd_min_len_three_type
%silent %%pwd_lengths.append(%%check_passwd_min_len_three_type)
%end if
%if %%check_passwd_min_len_four_type == 0
%set %%min_len_four_type='disabled'
%else
%set %%min_len_four_type=%%check_passwd_min_len_four_type
%silent %%pwd_lengths.append(%%check_passwd_min_len_four_type)
%end if
password required	pam_passwdqc.so ask_oldauthtok similar=deny min=%%min_len_one_type,%%min_len_two_type,%%min_len_two_type,%%min_len_three_type,%%min_len_four_type passphrase=0 %slurp
%if %%check_passwd_max != 0:
max=%%check_passwd_max
%end if
%set %%min_len = %%min(%%pwd_lengths)
%else
%set %%min_len = 0
%end if
password   requisite   pam_unix.so nullok sha512 minlen=%%min_len %slurp
%if %%check_passwd == 'oui'
use_first_pass
%end if

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required	  pam_cracklib.so retry=3 minlen=6 difok=3
# password required	  pam_unix.so use_authtok nullok md5

# minimally-intrusive inclusion of smbpass in the stack for
# synchronization.  If the module is absent or the passwords don't
# match, this module will be ignored without prompting; and if the
# passwords do match, the NTLM hash for the user will be updated
# automatically.
#password   optional   pam_smbpass.so nullok use_authtok use_first_pass missingok
