1 diff -urN -x .libs -x .deps Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README Linux-PAM-0.99.7.1/modules/pam_cracklib/README
2 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README 2006-08-24 13:26:55.000000000 +0200
3 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/README 2007-02-04 20:18:11.098999356 +0100
6 Path to the cracklib dictionaries.
8 +enforce=[none|users|all]
10 + The module can be configured to warn of weak passwords only, but not
11 + actually enforce strong passwords. The default, none, setting will enforce
12 + strong passwords for non-root users only.
16 For an example of the use of this module, we show how it may be stacked with
17 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8
18 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 2006-08-24 12:04:29.000000000 +0200
19 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8 2007-02-04 19:59:32.105794691 +0100
22 Path to the cracklib dictionaries.
25 +\fBenforce=[\fR\fB\fInone\fR\fR\fB|\fR\fB\fIusers\fR\fR\fB|\fR\fB\fIall\fR\fR\fB]\fR
27 +The module can be configured to warn of weak passwords only, but not actually enforce strong passwords. The default,
28 +\fInone\fR, setting will enforce strong passwords for non\-root users only.
30 .SH "MODULE TYPES PROVIDED"
33 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml
34 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml 2006-08-24 12:04:29.000000000 +0200
35 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml 2007-02-04 19:53:15.748347303 +0100
42 + <option>enforce=[<replaceable>none</replaceable>|<replaceable>users</replaceable>|<replaceable>all</replaceable>]</option>
46 + The module can be configured to warn of weak passwords
47 + only, but not actually enforce strong passwords. The
48 + default, <replaceable>none</replaceable>, setting will
49 + enforce strong passwords for non-root users only.
57 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c
58 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c 2006-11-07 12:00:24.000000000 +0100
59 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c 2007-02-04 19:59:27.217516126 +0100
65 const char *cracklib_dictpath;
69 #define CO_OTH_CREDIT 1
70 #define CO_USE_AUTHTOK 0
72 +#define ENFORCE_NONE 0
73 +#define ENFORCE_USERS 1
74 +#define ENFORCE_ALL 2
77 _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
78 int argc, const char **argv)
80 if (!*(opt->cracklib_dictpath)) {
81 opt->cracklib_dictpath = CRACKLIB_DICTS;
83 + } else if (!strncmp(*argv,"enforce=",8)) {
84 + if (!strncmp(*argv+8,"none",4))
85 + opt->enforce = ENFORCE_NONE;
86 + else if (!strncmp(*argv+8,"users",5))
87 + opt->enforce = ENFORCE_USERS;
88 + else if (!strncmp(*argv+8,"all",8))
89 + opt->enforce = ENFORCE_ALL;
90 + else if (!strncmp(*argv+8,"everyone",8)) // compatibility
91 + opt->enforce = ENFORCE_ALL;
93 pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
96 options.up_credit = CO_UP_CREDIT;
97 options.low_credit = CO_LOW_CREDIT;
98 options.oth_credit = CO_OTH_CREDIT;
99 + options.enforce = ENFORCE_USERS;
100 options.cracklib_dictpath = CRACKLIB_DICTS;
102 ctrl = _pam_parse(pamh, &options, argc, argv);
103 @@ -613,12 +628,31 @@
104 if (ctrl & PAM_DEBUG_ARG)
105 pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
106 pam_error (pamh, _("BAD PASSWORD: %s"), crack_msg);
107 - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
108 + if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
110 pam_set_item (pamh, PAM_AUTHTOK, NULL);
111 retval = PAM_AUTHTOK_ERR;
114 + switch (options.enforce) {
116 + retval = PAM_SUCCESS;
118 + case ENFORCE_USERS:
120 + pam_set_item (pamh, PAM_AUTHTOK, NULL);
121 + retval = PAM_AUTHTOK_ERR;
123 + else retval = PAM_SUCCESS;
127 + pam_set_item (pamh, PAM_AUTHTOK, NULL);
128 + retval = PAM_AUTHTOK_ERR;
131 + if (retval != PAM_SUCCESS)
135 /* check it for strength too... */
136 @@ -624,12 +650,31 @@
137 retval = _pam_unix_approve_pass (pamh, ctrl, &options,
139 if (retval != PAM_SUCCESS) {
140 - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
141 + if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
143 pam_set_item(pamh, PAM_AUTHTOK, NULL);
144 retval = PAM_AUTHTOK_ERR;
147 + switch (options.enforce) {
149 + retval = PAM_SUCCESS;
151 + case ENFORCE_USERS:
153 + pam_set_item(pamh, PAM_AUTHTOK, NULL);
154 + retval = PAM_AUTHTOK_ERR;
156 + else retval = PAM_SUCCESS;
160 + pam_set_item(pamh, PAM_AUTHTOK, NULL);
161 + retval = PAM_AUTHTOK_ERR;
164 + if (retval != PAM_SUCCESS)