From 422c19520fb814cfd8edd84d7989f4c52acbfa03 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 Apr 2012 15:03:32 +0200 Subject: pam_cracklib: Add maxclassrepeat, gecoscheck checks and remove unused difignore. modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option. (simple): Add the check for the same class repetition. (usercheck): Refactor into wordcheck(). (gecoscheck): New test for words from the GECOS field. (password_check): Call the gecoscheck(). (pam_sm_chauthtok): Drop the diff_ignore from options struct. modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test. --- modules/pam_cracklib/pam_cracklib.8.xml | 66 ++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 30 deletions(-) (limited to 'modules/pam_cracklib/pam_cracklib.8.xml') diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index 29e00c09..5022c753 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -77,17 +77,10 @@ Is the new password too much like the old one? This is primarily controlled by one argument, - which is a number of characters - that if different between the old and new are enough to accept - the new password, this defaults to 10 or 1/2 the size of the - new password whichever is smaller. - - - To avoid the lockup associated with trying to change a long and - complicated password, is available. - This argument can be used to specify the minimum length a new - password needs to be before the value is - ignored. The default value for is 23. + which is a number of character changes + (inserts, removals, or replacements) between the old and new + password that are enough to accept the new password. + This defaults to 5 changes. @@ -96,7 +89,8 @@ Is the new password too small? - This is controlled by 5 arguments , + This is controlled by 6 arguments , + , , , , and . See the section on the arguments for the details of how these work and there defaults. @@ -204,24 +198,9 @@ This argument will change the default of - 5 for the number of characters in - the new password that must not be present in the old - password. In addition, if 1/2 of the characters in the - new password are different then the new password will - be accepted anyway. - - - - - - - - - - - How many characters should the password have before - difok will be ignored. The default is - 23. + 5 for the number of character + changes in the new password that differentiate it + from the old password. @@ -368,6 +347,19 @@ + + + + + + + Reject passwords which contain more than N consecutive + characters of the same class. The default is 0 which means + that this check is disabled. + + + + @@ -381,6 +373,20 @@ + + + + + + + Check whether the words from the GECOS field (usualy full name + of the user) longer than 3 characters in straight or reversed + form are contained in the new password. If any such word is + found the new password is rejected. + + + + -- cgit v1.2.3