diff options
Diffstat (limited to 'modules/pam_cracklib/pam_cracklib.8.xml')
-rw-r--r-- | modules/pam_cracklib/pam_cracklib.8.xml | 105 |
1 files changed, 75 insertions, 30 deletions
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml index 29e00c0..3f6e76f 100644 --- a/modules/pam_cracklib/pam_cracklib.8.xml +++ b/modules/pam_cracklib/pam_cracklib.8.xml @@ -77,17 +77,10 @@ <para> Is the new password too much like the old one? This is primarily controlled by one argument, - <option>difok</option> which is a number of characters - that if different between the old and new are enough to accept - the new password, this defaults to 10 or 1/2 the size of the - new password whichever is smaller. - </para> - <para> - To avoid the lockup associated with trying to change a long and - complicated password, <option>difignore</option> is available. - This argument can be used to specify the minimum length a new - password needs to be before the <option>difok</option> value is - ignored. The default value for <option>difignore</option> is 23. + <option>difok</option> which is a number of character changes + (inserts, removals, or replacements) between the old and new + password that are enough to accept the new password. + This defaults to 5 changes. </para> </listitem> </varlistentry> @@ -96,7 +89,8 @@ <listitem> <para> Is the new password too small? - This is controlled by 5 arguments <option>minlen</option>, + This is controlled by 6 arguments <option>minlen</option>, + <option>maxclassrepeat</option>, <option>dcredit</option>, <option>ucredit</option>, <option>lcredit</option>, and <option>ocredit</option>. See the section on the arguments for the details of how these work and there defaults. @@ -120,6 +114,14 @@ </listitem> </varlistentry> <varlistentry> + <term>Too long monotonic character sequence</term> + <listitem> + <para> + Optional check for too long monotonic character sequence. + </para> + </listitem> + </varlistentry> + <varlistentry> <term>Contains user name</term> <listitem> <para> @@ -204,24 +206,9 @@ <listitem> <para> This argument will change the default of - <emphasis>5</emphasis> for the number of characters in - the new password that must not be present in the old - password. In addition, if 1/2 of the characters in the - new password are different then the new password will - be accepted anyway. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>difignore=<replaceable>N</replaceable></option> - </term> - <listitem> - <para> - How many characters should the password have before - difok will be ignored. The default is - <emphasis>23</emphasis>. + <emphasis>5</emphasis> for the number of character + changes in the new password that differentiate it + from the old password. </para> </listitem> </varlistentry> @@ -370,6 +357,34 @@ <varlistentry> <term> + <option>maxsequence=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Reject passwords which contain monotonic character sequences + longer than N. The default is 0 which means that this check + is disabled. Examples of such sequence are '12345' or 'fedcb'. + Note that most such passwords will not pass the simplicity + check unless the sequence is only a minor part of the password. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>maxclassrepeat=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Reject passwords which contain more than N consecutive + characters of the same class. The default is 0 which means + that this check is disabled. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> <option>reject_username</option> </term> <listitem> @@ -383,6 +398,36 @@ <varlistentry> <term> + <option>gecoscheck</option> + </term> + <listitem> + <para> + Check whether the words from the GECOS field (usualy full name + of the user) longer than 3 characters in straight or reversed + form are contained in the new password. If any such word is + found the new password is rejected. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>enforce_for_root</option> + </term> + <listitem> + <para> + The module will return error on failed check also if the user + changing the password is root. This option is off by default + which means that just the message about the failed check is + printed but root can change the password anyway. + Note that root is not asked for an old password so the checks + that compare the old and new password are not performed. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> <option>use_authtok</option> </term> <listitem> |