Check for arbitrary list of forbidden words.

2 files changed, 15 insertions, 0 deletions

diff --git a/doc/man/pam_pwquality.8 b/doc/man/pam_pwquality.8
index 3c57716..01a3bdf 100644
--- a/doc/man/pam_pwquality.8
+++ b/doc/man/pam_pwquality.8
@@ -233,6 +233,13 @@ field of the user are contained in the new password\&.
 The default is 0 which means that this check is disabled\&.
 .RE
 .PP
+\fBbadwords=\fR\fB\fI<list of words>\fR\fR
+.RS 4
+The words more than 3 characters long from this space separated list are
+individually searched for and forbidden in the new password\&.
+By default the list is empty which means that this check is disabled\&.
+.RE
+.PP
 \fBuse_authtok\fR
 .RS 4
 This argument is used to
diff --git a/doc/man/pwquality.conf.5 b/doc/man/pwquality.conf.5
index 0dcd2f0..5fece5f 100644
--- a/doc/man/pwquality.conf.5
+++ b/doc/man/pwquality.conf.5
@@ -93,6 +93,14 @@ field of the user's passwd entry are contained in the new password.
 The check is disabled if the value is 0. (default 0)
 .RE
 .PP
+\fBbadwords\fR
+.RS 4
+Space separated list of words that must not be contained in the password. These
+are additional words to the cracklib dictionary check. This setting can be
+also used by applications to emulate the gecos check for user accounts that are
+not created yet.
+.RE
+.PP
 \fBdictpath\fR
 .RS 4
 Path to the cracklib dictionaries. Default is to use the cracklib default.