pam-cracklib-enforce.patch

   1 diff -urN -x .libs -x .deps Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README Linux-PAM-0.99.7.1/modules/pam_cracklib/README
   2 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/README 2006-08-24 13:26:55.000000000 +0200
   3 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/README      2007-02-04 20:18:11.098999356 +0100
   4 @@ -162,6 +162,12 @@
   5
   6      Path to the cracklib dictionaries.
   7
   8 +enforce=[none|users|all]
   9 +
  10 +    The module can be configured to warn of weak passwords only, but not
  11 +    actually enforce strong passwords. The default, none, setting will enforce
  12 +    strong passwords for non-root users only.
  13 +
  14  EXAMPLES
  15
  16  For an example of the use of this module, we show how it may be stacked with
  17 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8
  18 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8 2006-08-24 12:04:29.000000000 +0200
  19 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8      2007-02-04 19:59:32.105794691 +0100
  20 @@ -167,6 +198,12 @@
  21  .RS 4
  22  Path to the cracklib dictionaries.
  23  .RE
  24 +.PP
  25 +\fBenforce=[\fR\fB\fInone\fR\fR\fB|\fR\fB\fIusers\fR\fR\fB|\fR\fB\fIall\fR\fR\fB]\fR
  26 +.RS 4
  27 +The module can be configured to warn of weak passwords only, but not actually enforce strong passwords. The default,
  28 +\fInone\fR, setting will enforce strong passwords for non\-root users only.
  29 +.RE
  30  .SH "MODULE TYPES PROVIDED"
  31  .PP
  32  Only the
  33 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml
  34 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.8.xml     2006-08-24 12:04:29.000000000 +0200
  35 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.8.xml  2007-02-04 19:53:15.748347303 +0100
  36 @@ -354,6 +354,20 @@
  37            </listitem>
  38          </varlistentry>
  39
  40 +        <varlistentry>
  41 +          <term>
  42 +           <option>enforce=[<replaceable>none</replaceable>|<replaceable>users</replaceable>|<replaceable>all</replaceable>]</option>
  43 +          </term>
  44 +          <listitem>
  45 +            <para>
  46 +             The module can be configured to warn of weak passwords
  47 +             only, but not actually enforce strong passwords.  The
  48 +             default, <replaceable>none</replaceable>, setting will
  49 +             enforce strong passwords for non-root users only.
  50 +            </para>
  51 +          </listitem>
  52 +        </varlistentry>
  53 +
  54        </variablelist>
  55      </para>
  56    </refsect1>
  57 diff -urN Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c
  58 --- Linux-PAM-0.99.7.1.orig/modules/pam_cracklib/pam_cracklib.c 2006-11-07 12:00:24.000000000 +0100
  59 +++ Linux-PAM-0.99.7.1/modules/pam_cracklib/pam_cracklib.c      2007-02-04 19:59:27.217516126 +0100
  60 @@ -93,6 +93,7 @@
  61          int min_class;
  62         int max_repeat;
  63         int reject_user;
  64 +       int enforce;
  65          const char *cracklib_dictpath;
  66  };
  67
  68 @@ -108,6 +109,10 @@
  69  #define CO_OTH_CREDIT   1
  70  #define CO_USE_AUTHTOK  0
  71
  72 +#define ENFORCE_NONE   0
  73 +#define ENFORCE_USERS  1
  74 +#define ENFORCE_ALL    2
  75 +
  76  static int
  77  _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
  78              int argc, const char **argv)
  79 @@ -161,6 +166,15 @@
  80              if (!*(opt->cracklib_dictpath)) {
  81                  opt->cracklib_dictpath = CRACKLIB_DICTS;
  82              }
  83 +        } else if (!strncmp(*argv,"enforce=",8)) {
  84 +               if (!strncmp(*argv+8,"none",4))
  85 +                       opt->enforce = ENFORCE_NONE;
  86 +               else if (!strncmp(*argv+8,"users",5))
  87 +                       opt->enforce = ENFORCE_USERS;
  88 +               else if (!strncmp(*argv+8,"all",8))
  89 +                       opt->enforce = ENFORCE_ALL;
  90 +               else if (!strncmp(*argv+8,"everyone",8)) // compatibility
  91 +                       opt->enforce = ENFORCE_ALL;
  92          } else {
  93              pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
  94          }
  95 @@ -512,6 +526,7 @@
  96      options.up_credit = CO_UP_CREDIT;
  97      options.low_credit = CO_LOW_CREDIT;
  98      options.oth_credit = CO_OTH_CREDIT;
  99 +    options.enforce = ENFORCE_USERS;
 100      options.cracklib_dictpath = CRACKLIB_DICTS;
 101
 102      ctrl = _pam_parse(pamh, &options, argc, argv);
 103 @@ -613,12 +628,31 @@
 104             if (ctrl & PAM_DEBUG_ARG)
 105               pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
 106             pam_error (pamh, _("BAD PASSWORD: %s"), crack_msg);
 107 -           if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
 108 +           if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
 109               {
 110                 pam_set_item (pamh, PAM_AUTHTOK, NULL);
 111                 retval = PAM_AUTHTOK_ERR;
 112                 continue;
 113               }
 114 +               switch (options.enforce) {
 115 +                       case ENFORCE_NONE:
 116 +                               retval = PAM_SUCCESS;
 117 +                               break;
 118 +                       case ENFORCE_USERS:
 119 +                               if (getuid()) {
 120 +                                       pam_set_item (pamh, PAM_AUTHTOK, NULL);
 121 +                                       retval = PAM_AUTHTOK_ERR;
 122 +                               }
 123 +                               else retval = PAM_SUCCESS;
 124 +                               break;
 125 +                       case ENFORCE_ALL:
 126 +                       default:
 127 +                               pam_set_item (pamh, PAM_AUTHTOK, NULL);
 128 +                               retval = PAM_AUTHTOK_ERR;
 129 +                               break;
 130 +               }
 131 +               if (retval != PAM_SUCCESS)
 132 +                       continue;
 133           }
 134
 135           /* check it for strength too... */
 136 @@ -624,12 +650,31 @@
 137           retval = _pam_unix_approve_pass (pamh, ctrl, &options,
 138                                            oldtoken, newtoken);
 139           if (retval != PAM_SUCCESS) {
 140 -           if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
 141 +           if (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
 142               {
 143                 pam_set_item(pamh, PAM_AUTHTOK, NULL);
 144                 retval = PAM_AUTHTOK_ERR;
 145                 continue;
 146               }
 147 +               switch (options.enforce) {
 148 +                       case ENFORCE_NONE:
 149 +                               retval = PAM_SUCCESS;
 150 +                               break;
 151 +                       case ENFORCE_USERS:
 152 +                               if (getuid()) {
 153 +                                       pam_set_item(pamh, PAM_AUTHTOK, NULL);
 154 +                                       retval = PAM_AUTHTOK_ERR;
 155 +                               }
 156 +                               else retval = PAM_SUCCESS;
 157 +                               break;
 158 +                       case ENFORCE_ALL:
 159 +                       default:
 160 +                               pam_set_item(pamh, PAM_AUTHTOK, NULL);
 161 +                               retval = PAM_AUTHTOK_ERR;
 162 +                               break;
 163 +               }
 164 +               if (retval != PAM_SUCCESS)
 165 +                       continue;
 166           }
 167           return PAM_SUCCESS;
 168          }