]>
Commit | Line | Data |
---|---|---|
07e9a0e2 JR |
1 | diff -urN -x .libs -x .deps Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README Linux-PAM-0.99.7.1/modules/pam_cracklib/README |
2 | --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README 2006-08-24 13:26:55.000000000 +0200 | |
3 | +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/README 2007-02-04 20:18:11.098999356 +0100 | |
4 | @@ -162,6 +162,12 @@ | |
5 | ||
6 | Path to the cracklib dictionaries. | |
7 | ||
8 | +enforce=[none|users|all] | |
9 | + | |
10 | + The module can be configured to warn of weak passwords only, but not | |
11 | + actually enforce strong passwords. The default, none, setting will enforce | |
12 | + strong passwords for non-root users only. | |
13 | + | |
14 | EXAMPLES | |
15 | ||
16 | For an example of the use of this module, we show how it may be stacked with | |
17 | diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8 | |
18 | --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 2006-08-24 12:04:29.000000000 +0200 | |
19 | +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8 2007-02-04 19:59:32.105794691 +0100 | |
50802aa0 JR |
20 | @@ -167,6 +198,12 @@ |
21 | .RS 4 | |
07e9a0e2 | 22 | Path to the cracklib dictionaries. |
50802aa0 JR |
23 | .RE |
24 | +.PP | |
07e9a0e2 | 25 | +\fBenforce=[\fR\fB\fInone\fR\fR\fB|\fR\fB\fIusers\fR\fR\fB|\fR\fB\fIall\fR\fR\fB]\fR |
50802aa0 | 26 | +.RS 4 |
07e9a0e2 JR |
27 | +The module can be configured to warn of weak passwords only, but not actually enforce strong passwords. The default, |
28 | +\fInone\fR, setting will enforce strong passwords for non\-root users only. | |
50802aa0 | 29 | +.RE |
07e9a0e2 JR |
30 | .SH "MODULE SERVICES PROVIDED" |
31 | .PP | |
32 | Only he | |
33 | diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml | |
34 | --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml 2006-08-24 12:04:29.000000000 +0200 | |
35 | +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml 2007-02-04 19:53:15.748347303 +0100 | |
36 | @@ -354,6 +354,20 @@ | |
37 | </listitem> | |
38 | </varlistentry> | |
39 | ||
40 | + <varlistentry> | |
41 | + <term> | |
42 | + <option>enforce=[<replaceable>none</replaceable>|<replaceable>users</replaceable>|<replaceable>all</replaceable>]</option> | |
43 | + </term> | |
44 | + <listitem> | |
45 | + <para> | |
46 | + The module can be configured to warn of weak passwords | |
47 | + only, but not actually enforce strong passwords. The | |
48 | + default, <replaceable>none</replaceable>, setting will | |
49 | + enforce strong passwords for non-root users only. | |
50 | + </para> | |
51 | + </listitem> | |
52 | + </varlistentry> | |
53 | + | |
54 | </variablelist> | |
55 | </para> | |
56 | </refsect1> | |
57 | diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c | |
58 | --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c 2006-11-07 12:00:24.000000000 +0100 | |
59 | +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c 2007-02-04 19:59:27.217516126 +0100 | |
60 | @@ -93,6 +93,7 @@ | |
50802aa0 | 61 | int min_class; |
07e9a0e2 JR |
62 | int use_authtok; |
63 | int try_first_pass; | |
64 | + int enforce; | |
65 | char prompt_type[BUFSIZ]; | |
66 | char cracklib_dictpath[PATH_MAX]; | |
67 | }; | |
68 | @@ -108,6 +109,10 @@ | |
69 | #define CO_OTH_CREDIT 1 | |
70 | #define CO_USE_AUTHTOK 0 | |
71 | ||
72 | +#define ENFORCE_NONE 0 | |
73 | +#define ENFORCE_USERS 1 | |
74 | +#define ENFORCE_ALL 2 | |
75 | + | |
76 | static int | |
77 | _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, | |
78 | int argc, const char **argv) | |
79 | @@ -161,6 +166,15 @@ | |
80 | } else if (!strncmp(*argv,"dictpath=",9)) { | |
81 | strncpy(opt->cracklib_dictpath, *argv+9, | |
82 | sizeof(opt->cracklib_dictpath) - 1); | |
83 | + } else if (!strncmp(*argv,"enforce=",8)) { | |
84 | + if (!strncmp(*argv+8,"none",4)) | |
85 | + opt->enforce = ENFORCE_NONE; | |
86 | + else if (!strncmp(*argv+8,"users",5)) | |
87 | + opt->enforce = ENFORCE_USERS; | |
88 | + else if (!strncmp(*argv+8,"all",8)) | |
89 | + opt->enforce = ENFORCE_ALL; | |
90 | + else if (!strncmp(*argv+8,"everyone",8)) // compatibility | |
91 | + opt->enforce = ENFORCE_ALL; | |
92 | } else { | |
93 | pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv); | |
94 | } | |
95 | @@ -512,6 +526,7 @@ | |
96 | options.low_credit = CO_LOW_CREDIT; | |
97 | options.oth_credit = CO_OTH_CREDIT; | |
98 | options.use_authtok = CO_USE_AUTHTOK; | |
99 | + options.enforce = ENFORCE_USERS; | |
100 | memset(options.prompt_type, 0, BUFSIZ); | |
101 | strcpy(options.prompt_type,"UNIX"); | |
102 | memset(options.cracklib_dictpath, 0, | |
103 | @@ -613,10 +628,21 @@ | |
104 | if (ctrl & PAM_DEBUG_ARG) | |
105 | pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg); | |
106 | pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg); | |
107 | - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) | |
108 | + if (flags & PAM_CHANGE_EXPIRED_AUTHTOK) | |
109 | retval = PAM_AUTHTOK_ERR; | |
110 | - else | |
111 | - retval = PAM_SUCCESS; | |
112 | + else switch (options.enforce) { | |
113 | + case ENFORCE_NONE: | |
114 | + retval = PAM_SUCCESS; | |
115 | + break; | |
116 | + case ENFORCE_USERS: | |
117 | + if (getuid()) retval = PAM_AUTHTOK_ERR; | |
118 | + else retval = PAM_SUCCESS; | |
119 | + break; | |
120 | + case ENFORCE_ALL: | |
121 | + default: | |
122 | + retval = PAM_AUTHTOK_ERR; | |
123 | + break; | |
124 | + } | |
125 | } else { | |
126 | /* check it for strength too... */ | |
127 | D(("for strength")); | |
128 | @@ -624,10 +650,21 @@ | |
50802aa0 JR |
129 | retval = _pam_unix_approve_pass (pamh, ctrl, &options, |
130 | oldtoken, token1); | |
131 | if (retval != PAM_SUCCESS) { | |
132 | - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) | |
133 | + if (flags & PAM_CHANGE_EXPIRED_AUTHTOK) | |
134 | retval = PAM_AUTHTOK_ERR; | |
135 | - else | |
136 | - retval = PAM_SUCCESS; | |
07e9a0e2 JR |
137 | + else switch (options.enforce) { |
138 | + case ENFORCE_NONE: | |
139 | + retval = PAM_SUCCESS; | |
140 | + break; | |
141 | + case ENFORCE_USERS: | |
142 | + if (getuid()) retval = PAM_AUTHTOK_ERR; | |
143 | + else retval = PAM_SUCCESS; | |
144 | + break; | |
145 | + case ENFORCE_ALL: | |
146 | + default: | |
147 | + retval = PAM_AUTHTOK_ERR; | |
148 | + break; | |
149 | + } | |
07e9a0e2 JR |
150 | } |
151 | } | |
50802aa0 | 152 | } |