Please see the README for instructions common to all platforms and
descriptions of the options mentioned here.


	Linux.

Most modern Linux distributions use Linux-PAM with a password changing
module which understands "use_authtok".  Thus, you may choose which
module prompts for the old password, things should work either way.


	FreeBSD.

FreeBSD 5 includes pam_passwdqc in the base system.  You should be
able to use either the included or the distributed separately version
of pam_passwdqc with FreeBSD 5.  There's a commented out usage example
in the default /etc/pam.d/passwd.  FreeBSD 4 and older used a cut down
version of Linux-PAM (not OpenPAM) and didn't use PAM for password
changing.


	Solaris, HP-UX 11.

On Solaris 2.6, 7, and 8 (without patch 108993-18/108994-18 or later)
and on HP-UX 11, pam_passwdqc has to ask for the old password during
the update phase.  Use "ask_oldauthtok=update check_oldauthtok" with
pam_passwdqc and "use_first_pass" with pam_unix.

On Solaris 8 (with patch 108993-18/108994-18 or later), 9, and 10,
use pam_passwdqc instead of both pam_authtok_get and pam_authtok_check,
and set "retry=1" with pam_passwdqc as the passwd command has its own
handling for that.

You will likely also need to set "max=8" in order to actually enforce
not-so-weak passwords with the obsolete traditional DES-based hashes
that most Solaris systems use and the flawed approach HP-UX uses to
process characters past 8.  Of course this way you only get about one
third of the functionality of pam_passwdqc.

$Owl$
