# -*- mode: python; coding: utf-8 -*-

include("pam")

header("""
/etc/pam.d/common-password - password-related modules common to all services

This file is included from other service-specific PAM config files,
and should contain a list of modules that define  the services to be
used to change user passwords.  The default is pam_unix
""")

@# The "nullok" option allows users to change an empty password, else
@# empty passwords are treated as locked accounts.
@#
@# (Add `md5' after the module name to enable MD5 passwords)
@#
@# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
@# login.defs. Also the "min" and "max" options enforce the length of the
@# new password.

print "password   sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
print "password   required   pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"

@# Alternate strength checking for password. Note that this
@# requires the libpam-cracklib package to be installed.
@# You will need to comment out the password line above and
@# uncomment the next two in order to use this.
@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')