1 diff -urN -x .libs -x .deps Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README Linux-PAM-0.99.7.1/modules/pam_cracklib/README
2 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README 2006-08-24 13:26:55.000000000 +0200
3 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/README 2007-02-04 20:18:11.098999356 +0100
6 Path to the cracklib dictionaries.
8 +enforce=[none|users|all]
10 + The module can be configured to warn of weak passwords only, but not
11 + actually enforce strong passwords. The default, none, setting will enforce
12 + strong passwords for non-root users only.
16 For an example of the use of this module, we show how it may be stacked with
17 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8
18 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 2006-08-24 12:04:29.000000000 +0200
19 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8 2007-02-04 19:59:32.105794691 +0100
22 Path to the cracklib dictionaries.
25 +\fBenforce=[\fR\fB\fInone\fR\fR\fB|\fR\fB\fIusers\fR\fR\fB|\fR\fB\fIall\fR\fR\fB]\fR
27 +The module can be configured to warn of weak passwords only, but not actually enforce strong passwords. The default,
28 +\fInone\fR, setting will enforce strong passwords for non\-root users only.
30 .SH "MODULE SERVICES PROVIDED"
33 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml
34 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml 2006-08-24 12:04:29.000000000 +0200
35 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml 2007-02-04 19:53:15.748347303 +0100
42 + <option>enforce=[<replaceable>none</replaceable>|<replaceable>users</replaceable>|<replaceable>all</replaceable>]</option>
46 + The module can be configured to warn of weak passwords
47 + only, but not actually enforce strong passwords. The
48 + default, <replaceable>none</replaceable>, setting will
49 + enforce strong passwords for non-root users only.
57 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c
58 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c 2006-11-07 12:00:24.000000000 +0100
59 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c 2007-02-04 19:59:27.217516126 +0100
65 char prompt_type[BUFSIZ];
66 char cracklib_dictpath[PATH_MAX];
69 #define CO_OTH_CREDIT 1
70 #define CO_USE_AUTHTOK 0
72 +#define ENFORCE_NONE 0
73 +#define ENFORCE_USERS 1
74 +#define ENFORCE_ALL 2
77 _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
78 int argc, const char **argv)
80 if (!*(opt->cracklib_dictpath)) {
81 opt->cracklib_dictpath = CRACKLIB_DICTS;
83 + } else if (!strncmp(*argv,"enforce=",8)) {
84 + if (!strncmp(*argv+8,"none",4))
85 + opt->enforce = ENFORCE_NONE;
86 + else if (!strncmp(*argv+8,"users",5))
87 + opt->enforce = ENFORCE_USERS;
88 + else if (!strncmp(*argv+8,"all",8))
89 + opt->enforce = ENFORCE_ALL;
90 + else if (!strncmp(*argv+8,"everyone",8)) // compatibility
91 + opt->enforce = ENFORCE_ALL;
93 pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
96 options.low_credit = CO_LOW_CREDIT;
97 options.oth_credit = CO_OTH_CREDIT;
98 options.use_authtok = CO_USE_AUTHTOK;
99 + options.enforce = ENFORCE_USERS;
100 memset(options.prompt_type, 0, BUFSIZ);
101 strcpy(options.prompt_type,"UNIX");
102 memset(options.cracklib_dictpath, 0,
103 @@ -613,10 +628,21 @@
104 if (ctrl & PAM_DEBUG_ARG)
105 pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
106 pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg);
107 - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
108 + if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
109 retval = PAM_AUTHTOK_ERR;
111 - retval = PAM_SUCCESS;
112 + else switch (options.enforce) {
114 + retval = PAM_SUCCESS;
116 + case ENFORCE_USERS:
117 + if (getuid()) retval = PAM_AUTHTOK_ERR;
118 + else retval = PAM_SUCCESS;
122 + retval = PAM_AUTHTOK_ERR;
126 /* check it for strength too... */
128 @@ -624,10 +650,21 @@
129 retval = _pam_unix_approve_pass (pamh, ctrl, &options,
131 if (retval != PAM_SUCCESS) {
132 - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
133 + if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
134 retval = PAM_AUTHTOK_ERR;
136 - retval = PAM_SUCCESS;
137 + else switch (options.enforce) {
139 + retval = PAM_SUCCESS;
141 + case ENFORCE_USERS:
142 + if (getuid()) retval = PAM_AUTHTOK_ERR;
143 + else retval = PAM_SUCCESS;
147 + retval = PAM_AUTHTOK_ERR;