SOURCES: pam-cracklib-enforce.patch (NEW) - enforce option for pam...
baggins
baggins at pld-linux.org
Mon Feb 5 00:20:37 CET 2007
Author: baggins Date: Sun Feb 4 23:20:37 2007 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- enforce option for pam_cracklib
---- Files affected:
SOURCES:
pam-cracklib-enforce.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/pam-cracklib-enforce.patch
diff -u /dev/null SOURCES/pam-cracklib-enforce.patch:1.1
--- /dev/null Mon Feb 5 00:20:37 2007
+++ SOURCES/pam-cracklib-enforce.patch Mon Feb 5 00:20:32 2007
@@ -0,0 +1,150 @@
+diff -urN -x .libs -x .deps Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README Linux-PAM-0.99.7.1/modules/pam_cracklib/README
+--- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README 2006-08-24 13:26:55.000000000 +0200
++++ Linux-PAM-0.99.7.1/modules/pam_cracklib/README 2007-02-04 20:18:11.098999356 +0100
+@@ -162,6 +162,12 @@
+
+ Path to the cracklib dictionaries.
+
++enforce=[none|users|all]
++
++ The module can be configured to warn of weak passwords only, but not
++ actually enforce strong passwords. The default, none, setting will enforce
++ strong passwords for non-root users only.
++
+ EXAMPLES
+
+ For an example of the use of this module, we show how it may be stacked with
+diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8
+--- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 2006-08-24 12:04:29.000000000 +0200
++++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8 2007-02-04 19:59:32.105794691 +0100
+@@ -167,6 +198,10 @@
+ .TP 3n
+ \fBdictpath=\fR\fB\fI/path/to/dict\fR\fR
+ Path to the cracklib dictionaries.
++.TP 3n
++\fBenforce=[\fR\fB\fInone\fR\fR\fB|\fR\fB\fIusers\fR\fR\fB|\fR\fB\fIall\fR\fR\fB]\fR
++The module can be configured to warn of weak passwords only, but not actually enforce strong passwords. The default,
++\fInone\fR, setting will enforce strong passwords for non\-root users only.
+ .SH "MODULE SERVICES PROVIDED"
+ .PP
+ Only he
+diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml
+--- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml 2006-08-24 12:04:29.000000000 +0200
++++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml 2007-02-04 19:53:15.748347303 +0100
+@@ -354,6 +354,20 @@
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term>
++ <option>enforce=[<replaceable>none</replaceable>|<replaceable>users</replaceable>|<replaceable>all</replaceable>]</option>
++ </term>
++ <listitem>
++ <para>
++ The module can be configured to warn of weak passwords
++ only, but not actually enforce strong passwords. The
++ default, <replaceable>none</replaceable>, setting will
++ enforce strong passwords for non-root users only.
++ </para>
++ </listitem>
++ </varlistentry>
++
+ </variablelist>
+ </para>
+ </refsect1>
+diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c
+--- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c 2006-11-07 12:00:24.000000000 +0100
++++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c 2007-02-04 19:59:27.217516126 +0100
+@@ -93,6 +93,7 @@
+ int oth_credit;
+ int use_authtok;
+ int try_first_pass;
++ int enforce;
+ char prompt_type[BUFSIZ];
+ char cracklib_dictpath[PATH_MAX];
+ };
+@@ -108,6 +109,10 @@
+ #define CO_OTH_CREDIT 1
+ #define CO_USE_AUTHTOK 0
+
++#define ENFORCE_NONE 0
++#define ENFORCE_USERS 1
++#define ENFORCE_ALL 2
++
+ static int
+ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
+ int argc, const char **argv)
+@@ -161,6 +166,15 @@
+ } else if (!strncmp(*argv,"dictpath=",9)) {
+ strncpy(opt->cracklib_dictpath, *argv+9,
+ sizeof(opt->cracklib_dictpath) - 1);
++ } else if (!strncmp(*argv,"enforce=",8)) {
++ if (!strncmp(*argv+8,"none",4))
++ opt->enforce = ENFORCE_NONE;
++ else if (!strncmp(*argv+8,"users",5))
++ opt->enforce = ENFORCE_USERS;
++ else if (!strncmp(*argv+8,"all",8))
++ opt->enforce = ENFORCE_ALL;
++ else if (!strncmp(*argv+8,"everyone",8)) // compatibility
++ opt->enforce = ENFORCE_ALL;
+ } else {
+ pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
+ }
+@@ -512,6 +526,7 @@
+ options.low_credit = CO_LOW_CREDIT;
+ options.oth_credit = CO_OTH_CREDIT;
+ options.use_authtok = CO_USE_AUTHTOK;
++ options.enforce = ENFORCE_USERS;
+ memset(options.prompt_type, 0, BUFSIZ);
+ strcpy(options.prompt_type,"UNIX");
+ memset(options.cracklib_dictpath, 0,
+@@ -613,10 +628,21 @@
+ if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
+ pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg);
+- if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
++ if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
+ retval = PAM_AUTHTOK_ERR;
+- else
+- retval = PAM_SUCCESS;
++ else switch (options.enforce) {
++ case ENFORCE_NONE:
++ retval = PAM_SUCCESS;
++ break;
++ case ENFORCE_USERS:
++ if (getuid()) retval = PAM_AUTHTOK_ERR;
++ else retval = PAM_SUCCESS;
++ break;
++ case ENFORCE_ALL:
++ default:
++ retval = PAM_AUTHTOK_ERR;
++ break;
++ }
+ } else {
+ /* check it for strength too... */
+ D(("for strength"));
+@@ -624,10 +650,21 @@
+ retval = _pam_unix_approve_pass(pamh,ctrl,&options,
+ oldtoken,token1);
+ if (retval != PAM_SUCCESS) {
+- if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
++ if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
+ retval = PAM_AUTHTOK_ERR;
+- else
+- retval = PAM_SUCCESS;
++ else switch (options.enforce) {
++ case ENFORCE_NONE:
++ retval = PAM_SUCCESS;
++ break;
++ case ENFORCE_USERS:
++ if (getuid()) retval = PAM_AUTHTOK_ERR;
++ else retval = PAM_SUCCESS;
++ break;
++ case ENFORCE_ALL:
++ default:
++ retval = PAM_AUTHTOK_ERR;
++ break;
++ }
+ }
+ }
+ }
================================================================
More information about the pld-cvs-commit
mailing list