Add an 'enforcing' setting to make the checks to be warning-only in PAM.

2 files changed, 13 insertions, 0 deletions

diff --git a/doc/man/pam_pwquality.8.pod b/doc/man/pam_pwquality.8.pod
index 6b115f8..307daef 100644
--- a/doc/man/pam_pwquality.8.pod
+++ b/doc/man/pam_pwquality.8.pod
@@ -202,6 +202,12 @@ contains the user name in some form. The default is 1 which means that
 this check is enabled. It is not performed for user names shorter
 than 3 characters.
 
+=item B<enforcing=>I<N>
+
+If nonzero, reject the password if it fails the checks, otherwise
+only print the warning. The default is 1 which means that the weak password
+is rejected (for non-root users).
+
 =item B<badwords=>I<< <list of words> >>
 
 The words more than 3 characters long from this space separated list are
diff --git a/doc/man/pwquality.conf.5.pod b/doc/man/pwquality.conf.5.pod
index ad558f6..6519ec6 100644
--- a/doc/man/pwquality.conf.5.pod
+++ b/doc/man/pwquality.conf.5.pod
@@ -107,6 +107,13 @@ If nonzero, check whether the password (with possible modifications)
 contains the user name in some form. It is not performed for user names shorter
 than 3 characters. (default 1)
 
+=item B<enforcing=>I<N>
+
+If nonzero, reject the password if it fails the checks, otherwise
+only print the warning. This setting applies only to the pam_pwquality module
+and possibly other applications that explicitly change their behavior
+based on it. It does not affect L<pwmake(1)> and L<pwscore(1)>. (default 1)
+
 =item B<badwords>
 
 Space separated list of words that must not be contained in the password. These