Add maxsequence check for too long monotonic character sequence.

2 files changed, 30 insertions, 5 deletions

diff --git a/doc/man/pam_pwquality.8 b/doc/man/pam_pwquality.8
index b8269de..863480f 100644
--- a/doc/man/pam_pwquality.8
+++ b/doc/man/pam_pwquality.8
@@ -27,7 +27,7 @@ new authentication token\&.
 The strength checks works in the following manner: at first the
 \fBCracklib\fR
 routine is called to check if the password is part of a dictionary; if this
-is not the case an additional set of strength checks are done\&. These checks
+is not the case an additional set of strength checks is done\&. These checks
 are:
 .PP
 Palindrome
@@ -45,14 +45,16 @@ Similar
 Is the new password too much like the old one? This is primarily controlled
 by one argument,
 \fBdifok\fR
-which is a number of changes between the old and new are enough to accept
-the new password\&.
+which is a number of character changes (inserts, removals, or replacements)
+between the old and new password that are enough to accept the new
+password\&. This defaults to 5 changes\&.
 .RE
 .PP
 Simple
 .RS 4
-Is the new password too small? This is controlled by 5 arguments
+Is the new password too small? This is controlled by 6 arguments
 \fBminlen\fR,
+\fBmaxclassrepeat\fR,
 \fBdcredit\fR,
 \fBucredit\fR,
 \fBlcredit\fR, and
@@ -70,9 +72,14 @@ Same consecutive characters
 Optional check for same consecutive characters\&.
 .RE
 .PP
+Too long monotonic character sequence
+.RS 4
+Optional check for too long monotonic character sequence\&.
+.RE
+.PP
 Contains user name
 .RS 4
-Optional check whether the password contains the user name in some form\&.
+Optional check whether the password contains the user\*(Aqs name in some form\&.
 .RE
 .PP
 These checks are configurable either by use of the module arguments
@@ -217,6 +224,15 @@ Reject passwords which contain more than N same consecutive characters\&.
 The default is 0 which means that this check is disabled\&.
 .RE
 .PP
+\fBmaxsequence=\fR\fB\fIN\fR\fR
+.RS 4
+Reject passwords which contain monotonic character sequences longer than N\&.
+The default is 0 which means that this check is disabled\&.
+Examples of such sequence are \*(Aq12345\*(Aq or \*(Aqfedcb\*(Aq\&. Note that
+most such passwords will not pass the simplicity check unless the sequence
+is only a minor part of the password\&.
+.RE
+.PP
 \fBmaxclassrepeat=\fR\fB\fIN\fR\fR
 .RS 4
 Reject passwords which contain more than N consecutive characters of the
diff --git a/doc/man/pwquality.conf.5 b/doc/man/pwquality.conf.5
index 050d4eb..5302e50 100644
--- a/doc/man/pwquality.conf.5
+++ b/doc/man/pwquality.conf.5
@@ -73,6 +73,15 @@ The maximum number of allowed same consecutive characters in the new password.
 The check is disabled if the value is 0. (default 0)
 .RE
 .PP
+\fBmaxsequence\fR
+.RS 4
+The maximum length of monotonic character sequences in the new password.
+Examples of such sequence are \*(Aq12345\*(Aq or \*(Aqfedcb\*(Aq\&. Note
+that most such passwords will not pass the simplicity check unless
+the sequence is only a minor part of the password.
+The check is disabled if the value is 0. (default 0) 
+.RE
+.PP
 \fBmaxclassrepeat\fR
 .RS 4
 The maximum number of allowed consecutive characters of the same class in the