pam_unix: obscure checks

* Bring in the obscure checks that used to live in shadow so we can still support them

* Set default minimum password length to 6

Gbp-Pq: Name 0003-pam_unix-obscure-checks.patch

1 files changed, 75 insertions, 2 deletions

diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index dfc04274..4e63a496 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -397,8 +397,81 @@
         <listitem>
           <para>
             Set a minimum password length of <replaceable>n</replaceable>
-            characters. The max. for DES crypt based passwords are 8
-            characters.
+            characters.  The default value is 6.  The maximum for DES
+            crypt-based passwords is 8 characters.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>obscure</option>
+        </term>
+        <listitem>
+          <para>
+            Enable some extra checks on password strength.  These checks
+            are based on the "obscure" checks in the original shadow
+            package.  The behavior is similar to the pam_cracklib
+            module, but for non-dictionary-based checks.  The following
+            checks are implemented:
+            <variablelist>
+              <varlistentry>
+                <term>
+                  <option>Palindrome</option>
+                </term>
+                <listitem>
+                  <para>
+                    Verifies that the new password is not a palindrome
+                    of (i.e., the reverse of) the previous one.
+                  </para>
+                </listitem>
+              </varlistentry>
+              <varlistentry>
+                <term>
+                  <option>Case Change Only</option>
+                </term>
+                <listitem>
+                  <para>
+                    Verifies that the new password isn't the same as the
+                    old one with a change of case.
+                  </para>
+                </listitem>
+              </varlistentry>
+              <varlistentry>
+                <term>
+                  <option>Similar</option>
+                </term>
+                <listitem>
+                  <para>
+                    Verifies that the new password isn't too much like
+                    the previous one.
+                  </para>
+                </listitem>
+              </varlistentry>
+              <varlistentry>
+                <term>
+                  <option>Simple</option>
+                </term>
+                <listitem>
+                  <para>
+                    Is the new password too simple?  This is based on
+                    the length of the password and the number of
+                    different types of characters (alpha, numeric, etc.)
+                    used.
+                  </para>
+                </listitem>
+              </varlistentry>
+              <varlistentry>
+                <term>
+                  <option>Rotated</option>
+                </term>
+                <listitem>
+                  <para>
+                    Is the new password a rotated version of the old
+                    password?  (E.g., "billy" and "illyb")
+                  </para>
+                </listitem>
+              </varlistentry>
+            </variablelist>
           </para>
         </listitem>
       </varlistentry>