#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# here are the per-package modules (the "Primary" block)

################## Titanium Cloud Password Rules #######################
## Enforce a password containing atleast 1 lower case, 1 upper case,   #
## 1 digit and 1 special character. Such a password will have a        #
## minimum length of 7 characters. A user may not re-use the last most #
## recent password and every password must differ from its previous    #
## one by atleast 3 characters                                         #
##  - Added enforce_for_root for pam_pwquality.so             #
########################################################################

password    required                        pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
password    required                        pam_pwhistory.so use_authtok enforce_for_root remember=2 retry=3 debug

password    sufficient                      pam_unix.so sha512 use_authtok debug
password    [success=done authtok_err=die perm_denied=die default=ignore]  pam_ldap.so use_authtok debug



# If we got this far then its clearly a DENY
password    requisite                       pam_deny.so