pam-cracklib-enforce.patch

   1 diff -urN -x .libs -x .deps Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README Linux-PAM-0.99.7.1/modules/pam_cracklib/README
   2 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README 2006-08-24 13:26:55.000000000 +0200
   3 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/README      2007-02-04 20:18:11.098999356 +0100
   4 @@ -162,6 +162,12 @@
   5
   6      Path to the cracklib dictionaries.
   7
   8 +enforce=[none|users|all]
   9 +
  10 +    The module can be configured to warn of weak passwords only, but not
  11 +    actually enforce strong passwords. The default, none, setting will enforce
  12 +    strong passwords for non-root users only.
  13 +
  14  EXAMPLES
  15
  16  For an example of the use of this module, we show how it may be stacked with
  17 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8
  18 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 2006-08-24 12:04:29.000000000 +0200
  19 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8      2007-02-04 19:59:32.105794691 +0100
  20 @@ -167,6 +198,12 @@
  21  .RS 4
  22  Path to the cracklib dictionaries.
  23  .RE
  24 +.PP
  25 +\fBenforce=[\fR\fB\fInone\fR\fR\fB|\fR\fB\fIusers\fR\fR\fB|\fR\fB\fIall\fR\fR\fB]\fR
  26 +.RS 4
  27 +The module can be configured to warn of weak passwords only, but not actually enforce strong passwords. The default,
  28 +\fInone\fR, setting will enforce strong passwords for non\-root users only.
  29 +.RE
  30  .SH "MODULE SERVICES PROVIDED"
  31  .PP
  32  Only he
  33 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml
  34 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml     2006-08-24 12:04:29.000000000 +0200
  35 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml  2007-02-04 19:53:15.748347303 +0100
  36 @@ -354,6 +354,20 @@
  37            </listitem>
  38          </varlistentry>
  39
  40 +        <varlistentry>
  41 +          <term>
  42 +           <option>enforce=[<replaceable>none</replaceable>|<replaceable>users</replaceable>|<replaceable>all</replaceable>]</option>
  43 +          </term>
  44 +          <listitem>
  45 +            <para>
  46 +             The module can be configured to warn of weak passwords
  47 +             only, but not actually enforce strong passwords.  The
  48 +             default, <replaceable>none</replaceable>, setting will
  49 +             enforce strong passwords for non-root users only.
  50 +            </para>
  51 +          </listitem>
  52 +        </varlistentry>
  53 +
  54        </variablelist>
  55      </para>
  56    </refsect1>
  57 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c
  58 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c 2006-11-07 12:00:24.000000000 +0100
  59 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c      2007-02-04 19:59:27.217516126 +0100
  60 @@ -93,6 +93,7 @@
  61          int min_class;
  62         int use_authtok;
  63         int try_first_pass;
  64 +       int enforce;
  65         char prompt_type[BUFSIZ];
  66          char cracklib_dictpath[PATH_MAX];
  67  };
  68 @@ -108,6 +109,10 @@
  69  #define CO_OTH_CREDIT   1
  70  #define CO_USE_AUTHTOK  0
  71
  72 +#define ENFORCE_NONE   0
  73 +#define ENFORCE_USERS  1
  74 +#define ENFORCE_ALL    2
  75 +
  76  static int
  77  _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
  78              int argc, const char **argv)
  79 @@ -161,6 +166,15 @@
  80              if (!*(opt->cracklib_dictpath)) {
  81                  opt->cracklib_dictpath = CRACKLIB_DICTS;
  82              }
  83 +        } else if (!strncmp(*argv,"enforce=",8)) {
  84 +               if (!strncmp(*argv+8,"none",4))
  85 +                       opt->enforce = ENFORCE_NONE;
  86 +               else if (!strncmp(*argv+8,"users",5))
  87 +                       opt->enforce = ENFORCE_USERS;
  88 +               else if (!strncmp(*argv+8,"all",8))
  89 +                       opt->enforce = ENFORCE_ALL;
  90 +               else if (!strncmp(*argv+8,"everyone",8)) // compatibility
  91 +                       opt->enforce = ENFORCE_ALL;
  92          } else {
  93              pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
  94          }
  95 @@ -512,6 +526,7 @@
  96      options.low_credit = CO_LOW_CREDIT;
  97      options.oth_credit = CO_OTH_CREDIT;
  98      options.use_authtok = CO_USE_AUTHTOK;
  99 +    options.enforce = ENFORCE_USERS;
 100      memset(options.prompt_type, 0, BUFSIZ);
 101      strcpy(options.prompt_type,"UNIX");
 102      memset(options.cracklib_dictpath, 0,
 103 @@ -613,10 +628,21 @@
 104                  if (ctrl & PAM_DEBUG_ARG)
 105                      pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
 106                  pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg);
 107 -                if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
 108 +                if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
 109                      retval = PAM_AUTHTOK_ERR;
 110 -                else
 111 -                    retval = PAM_SUCCESS;
 112 +               else switch (options.enforce) {
 113 +                       case ENFORCE_NONE:
 114 +                               retval = PAM_SUCCESS;
 115 +                               break;
 116 +                       case ENFORCE_USERS:
 117 +                               if (getuid()) retval = PAM_AUTHTOK_ERR;
 118 +                               else retval = PAM_SUCCESS;
 119 +                               break;
 120 +                       case ENFORCE_ALL:
 121 +                       default:
 122 +                               retval = PAM_AUTHTOK_ERR;
 123 +                               break;
 124 +               }
 125              } else {
 126                  /* check it for strength too... */
 127                 D(("for strength"));
 128 @@ -624,10 +650,21 @@
 129                  retval = _pam_unix_approve_pass (pamh, ctrl, &options,
 130                                                  oldtoken, token1);
 131                 if (retval != PAM_SUCCESS) {
 132 -                   if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
 133 +                   if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
 134                         retval = PAM_AUTHTOK_ERR;
 135 -                   else
 136 -                       retval = PAM_SUCCESS;
 137 +                       else switch (options.enforce) {
 138 +                               case ENFORCE_NONE:
 139 +                                       retval = PAM_SUCCESS;
 140 +                                       break;
 141 +                               case ENFORCE_USERS:
 142 +                                       if (getuid()) retval = PAM_AUTHTOK_ERR;
 143 +                                       else retval = PAM_SUCCESS;
 144 +                                       break;
 145 +                               case ENFORCE_ALL:
 146 +                               default:
 147 +                                       retval = PAM_AUTHTOK_ERR;
 148 +                                       break;
 149 +                       }
 150                  }
 151              }
 152          }