summaryrefslogtreecommitdiff
path: root/modules/pam_cracklib/README
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_cracklib/README')
-rw-r--r--modules/pam_cracklib/README59
1 files changed, 39 insertions, 20 deletions
diff --git a/modules/pam_cracklib/README b/modules/pam_cracklib/README
index 53264f7..6a59c1c 100644
--- a/modules/pam_cracklib/README
+++ b/modules/pam_cracklib/README
@@ -32,20 +32,15 @@ Case Change Only
Similar
Is the new password too much like the old one? This is primarily controlled
- by one argument, difok which is a number of characters that if different
- between the old and new are enough to accept the new password, this
- defaults to 10 or 1/2 the size of the new password whichever is smaller.
-
- To avoid the lockup associated with trying to change a long and complicated
- password, difignore is available. This argument can be used to specify the
- minimum length a new password needs to be before the difok value is
- ignored. The default value for difignore is 23.
+ by one argument, difok which is a number of character changes (inserts,
+ removals, or replacements) between the old and new password that are enough
+ to accept the new password. This defaults to 5 changes.
Simple
- Is the new password too small? This is controlled by 5 arguments minlen,
- dcredit, ucredit, lcredit, and ocredit. See the section on the arguments
- for the details of how these work and there defaults.
+ Is the new password too small? This is controlled by 6 arguments minlen,
+ maxclassrepeat, dcredit, ucredit, lcredit, and ocredit. See the section on
+ the arguments for the details of how these work and there defaults.
Rotated
@@ -55,6 +50,10 @@ Same consecutive characters
Optional check for same consecutive characters.
+Too long monotonic character sequence
+
+ Optional check for too long monotonic character sequence.
+
Contains user name
Optional check whether the password contains the user's name in some form.
@@ -93,15 +92,8 @@ retry=N
difok=N
- This argument will change the default of 5 for the number of characters in
- the new password that must not be present in the old password. In addition,
- if 1/2 of the characters in the new password are different then the new
- password will be accepted anyway.
-
-difignore=N
-
- How many characters should the password have before difok will be ignored.
- The default is 23.
+ This argument will change the default of 5 for the number of character
+ changes in the new password that differentiate it from the old password.
minlen=N
@@ -169,11 +161,38 @@ maxrepeat=N
Reject passwords which contain more than N same consecutive characters. The
default is 0 which means that this check is disabled.
+maxsequence=N
+
+ Reject passwords which contain monotonic character sequences longer than N.
+ The default is 0 which means that this check is disabled. Examples of such
+ sequence are '12345' or 'fedcb'. Note that most such passwords will not
+ pass the simplicity check unless the sequence is only a minor part of the
+ password.
+
+maxclassrepeat=N
+
+ Reject passwords which contain more than N consecutive characters of the
+ same class. The default is 0 which means that this check is disabled.
+
reject_username
Check whether the name of the user in straight or reversed form is
contained in the new password. If it is found the new password is rejected.
+gecoscheck
+
+ Check whether the words from the GECOS field (usualy full name of the user)
+ longer than 3 characters in straight or reversed form are contained in the
+ new password. If any such word is found the new password is rejected.
+
+enforce_for_root
+
+ The module will return error on failed check also if the user changing the
+ password is root. This option is off by default which means that just the
+ message about the failed check is printed but root can change the password
+ anyway. Note that root is not asked for an old password so the checks that
+ compare the old and new password are not performed.
+
use_authtok
This argument is used to force the module to not prompt the user for a new