pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore.

modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option. (simple): Add the check for the same class repetition. (usercheck): Refactor into wordcheck(). (gecoscheck): New test for words from the GECOS field. (password_check): Call the gecoscheck(). (pam_sm_chauthtok): Drop the diff_ignore from options struct. modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test.
author: Tomas Mraz <tmraz@fedoraproject.org> 2012-04-30 15:03:32 +0200
committer: Tomas Mraz <tmraz@fedoraproject.org> 2012-04-30 15:08:20 +0200
commit: 422c19520fb814cfd8edd84d7989f4c52acbfa03 (patch)
tree: bd3a6759bd75db54d47e58619fe15326a071af29 /modules/pam_cracklib/pam_cracklib.8.xml
parent: cf9c75be753a3c12fdecb9f4696b8ad1b28dd799 (diff)
1 files changed, 36 insertions, 30 deletions
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml
index 29e00c09..5022c753 100644
--- a/modules/pam_cracklib/pam_cracklib.8.xml
+++ b/modules/pam_cracklib/pam_cracklib.8.xml
@@ -77,17 +77,10 @@
           <para>
             Is the new password too much like the old one?
             This is primarily controlled by one argument,
-            <option>difok</option> which is a number of characters
-            that if different between the old and new are enough to accept
-            the new password, this defaults to 10 or 1/2 the size of the
-            new password whichever is smaller.
-          </para>
-          <para>
-            To avoid the lockup associated with trying to change a long and
-            complicated password, <option>difignore</option> is available.
-            This argument can be used to specify the minimum length a new
-            password needs to be before the <option>difok</option> value is
-            ignored. The default value for <option>difignore</option> is 23.
+            <option>difok</option> which is a number of character changes
+            (inserts, removals, or replacements) between the old and new
+            password that are enough to accept the new password.
+            This defaults to 5 changes.
           </para>
         </listitem>
       </varlistentry>
@@ -96,7 +89,8 @@
         <listitem>
           <para>
              Is the new password too small?
-             This is controlled by 5 arguments <option>minlen</option>,
+             This is controlled by 6 arguments <option>minlen</option>,
+             <option>maxclassrepeat</option>,
              <option>dcredit</option>, <option>ucredit</option>,
              <option>lcredit</option>, and <option>ocredit</option>. See the section
              on the arguments for the details of how these work and there defaults.
@@ -204,24 +198,9 @@
           <listitem>
             <para>
               This argument will change the default of
-              <emphasis>5</emphasis> for the number of characters in
-              the new password that must not be present in the old
-              password. In addition, if 1/2 of the characters in the
-              new password are different then the new password will
-              be accepted anyway.
-            </para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>
-            <option>difignore=<replaceable>N</replaceable></option>
-          </term>
-          <listitem>
-            <para>
-              How many characters should the password have before
-              difok will be ignored. The default is
-              <emphasis>23</emphasis>.
+              <emphasis>5</emphasis> for the number of character
+              changes in the new password that differentiate it
+              from the old password.
             </para>
           </listitem>
         </varlistentry>
@@ -370,6 +349,19 @@
 
         <varlistentry>
           <term>
+            <option>maxclassrepeat=<replaceable>N</replaceable></option>
+          </term>
+          <listitem>
+            <para>
+              Reject passwords which contain more than N consecutive
+              characters of the same class. The default is 0 which means
+              that this check is disabled.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
             <option>reject_username</option>
           </term>
           <listitem>
@@ -383,6 +375,20 @@
 
         <varlistentry>
           <term>
+            <option>gecoscheck</option>
+          </term>
+          <listitem>
+            <para>
+              Check whether the words from the GECOS field (usualy full name
+              of the user) longer than 3 characters in straight or reversed
+              form are contained in the new password. If any such word is
+              found the new password is rejected.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
             <option>use_authtok</option>
           </term>
           <listitem>
author	Tomas Mraz <tmraz@fedoraproject.org>	2012-04-30 15:03:32 +0200
committer	Tomas Mraz <tmraz@fedoraproject.org>	2012-04-30 15:08:20 +0200
commit	422c19520fb814cfd8edd84d7989f4c52acbfa03 (patch)
tree	bd3a6759bd75db54d47e58619fe15326a071af29 /modules/pam_cracklib/pam_cracklib.8.xml
parent	cf9c75be753a3c12fdecb9f4696b8ad1b28dd799 (diff)