New upstream version 1.1.8

1 files changed, 75 insertions, 30 deletions

diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml
index 29e00c09..3f6e76f0 100644
--- a/modules/pam_cracklib/pam_cracklib.8.xml
+++ b/modules/pam_cracklib/pam_cracklib.8.xml
@@ -77,17 +77,10 @@
           <para>
             Is the new password too much like the old one?
             This is primarily controlled by one argument,
-            <option>difok</option> which is a number of characters
-            that if different between the old and new are enough to accept
-            the new password, this defaults to 10 or 1/2 the size of the
-            new password whichever is smaller.
-          </para>
-          <para>
-            To avoid the lockup associated with trying to change a long and
-            complicated password, <option>difignore</option> is available.
-            This argument can be used to specify the minimum length a new
-            password needs to be before the <option>difok</option> value is
-            ignored. The default value for <option>difignore</option> is 23.
+            <option>difok</option> which is a number of character changes
+            (inserts, removals, or replacements) between the old and new
+            password that are enough to accept the new password.
+            This defaults to 5 changes.
           </para>
         </listitem>
       </varlistentry>
@@ -96,7 +89,8 @@
         <listitem>
           <para>
              Is the new password too small?
-             This is controlled by 5 arguments <option>minlen</option>,
+             This is controlled by 6 arguments <option>minlen</option>,
+             <option>maxclassrepeat</option>,
              <option>dcredit</option>, <option>ucredit</option>,
              <option>lcredit</option>, and <option>ocredit</option>. See the section
              on the arguments for the details of how these work and there defaults.
@@ -120,6 +114,14 @@
         </listitem>
       </varlistentry>
       <varlistentry>
+        <term>Too long monotonic character sequence</term>
+        <listitem>
+          <para>
+            Optional check for too long monotonic character sequence.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
         <term>Contains user name</term>
         <listitem>
           <para>
@@ -204,24 +206,9 @@
           <listitem>
             <para>
               This argument will change the default of
-              <emphasis>5</emphasis> for the number of characters in
-              the new password that must not be present in the old
-              password. In addition, if 1/2 of the characters in the
-              new password are different then the new password will
-              be accepted anyway.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-            <option>difignore=<replaceable>N</replaceable></option>
-          </term>
-          <listitem>
-            <para>
-              How many characters should the password have before
-              difok will be ignored. The default is
-              <emphasis>23</emphasis>.
+              <emphasis>5</emphasis> for the number of character
+              changes in the new password that differentiate it
+              from the old password.
             </para>
           </listitem>
         </varlistentry>
@@ -370,6 +357,34 @@
 
         <varlistentry>
           <term>
+            <option>maxsequence=<replaceable>N</replaceable></option>
+          </term>
+          <listitem>
+            <para>
+              Reject passwords which contain monotonic character sequences
+              longer than N. The default is 0 which means that this check
+              is disabled. Examples of such sequence are '12345' or 'fedcb'.
+              Note that most such passwords will not pass the simplicity
+              check unless the sequence is only a minor part of the password.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>maxclassrepeat=<replaceable>N</replaceable></option>
+          </term>
+          <listitem>
+            <para>
+              Reject passwords which contain more than N consecutive
+              characters of the same class. The default is 0 which means
+              that this check is disabled.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
             <option>reject_username</option>
           </term>
           <listitem>
@@ -383,6 +398,36 @@
 
         <varlistentry>
           <term>
+            <option>gecoscheck</option>
+          </term>
+          <listitem>
+            <para>
+              Check whether the words from the GECOS field (usualy full name
+              of the user) longer than 3 characters in straight or reversed
+              form are contained in the new password. If any such word is
+              found the new password is rejected.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>enforce_for_root</option>
+          </term>
+          <listitem>
+            <para>
+              The module will return error on failed check also if the user
+              changing the password is root. This option is off by default
+              which means that just the message about the failed check is
+              printed but root can change the password anyway.
+              Note that root is not asked for an old password so the checks
+              that compare the old and new password are not performed.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
             <option>use_authtok</option>
           </term>
           <listitem>