Accepting request 849441 from home:jmoellers:branches:Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/849441 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=227
2020-11-19 13:56:42 +00:00 · 2020-11-19 13:56:42 +00:00 · 6c61940629
commit 6c61940629
parent 94ef2ca6a9
1 changed files with 122 additions and 36 deletions
--- a/pam-pam_cracklib-add-usersubstr.patch
+++ b/pam-pam_cracklib-add-usersubstr.patch
@ -1,3 +1,107 @@
+Index: Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
+===================================================================
+--- Linux-PAM-1.4.0.orig/doc/sag/Linux-PAM_SAG.txt
+++ Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
+@@ -1003,6 +1003,14 @@ reject_username
+     Check whether the name of the user in straight or reversed form is
+     contained in the new password. If it is found the new password is rejected.
+ 
+usersubstr=N
+
+    Reject passwords which contain any substring of N or more consecutive
+    characters of the user's name straight or in reverse order.
+    N must be at least 4 for this to be applicable.
+    Also, usernames shorter than N are not checked.
+    If such a substring is found, the password is rejected.
+
+ gecoscheck
+ 
+     Check whether the words from the GECOS field (usually full name of the
+Index: Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
+===================================================================
+--- Linux-PAM-1.4.0.orig/doc/sag/html/sag-pam_cracklib.html
+++ Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
+@@ -198,6 +198,15 @@
+               form is contained in the new password. If it is found the
+               new password is rejected.
+             </p></dd><dt><span class="term">
+            <code class="option">usersubstr=<em class="replaceable"><code>N</code></em></code>
+          </span></dt><dd><p>
+             Reject passwords which contain any substring of N or more
+             consecutive characters of the user's name straight or in
+             reverse order.
+             N must be at least 4 for this to be applicable.
+             Also, usernames shorter than N are not checked.
+             If such a substring is found, the password is rejected.
+            </p></dd><dt><span class="term">
+             <code class="option">gecoscheck</code>
+           </span></dt><dd><p>
+               Check whether the words from the GECOS field (usually full name
+Index: Linux-PAM-1.4.0/modules/pam_cracklib/README
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/README
+++ Linux-PAM-1.4.0/modules/pam_cracklib/README
+@@ -179,6 +179,14 @@ reject_username
+     Check whether the name of the user in straight or reversed form is
+     contained in the new password. If it is found the new password is rejected.
+ 
+usersubstr=N
+
+    Reject passwords which contain any substring of N or more consecutive
+    characters of the user's name straight or in reverse order.
+    N must be at least 4 for this to be applicable.
+    Also, usernames shorter than N are not checked.
+    If such a substring is found, the password is rejected.
+
+ gecoscheck
+ 
+     Check whether the words from the GECOS field (usually full name of the
+Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8
+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
+@@ -232,6 +232,15 @@ Reject passwords which contain more than
+ Check whether the name of the user in straight or reversed form is contained in the new password\&. If it is found the new password is rejected\&.
+ .RE
+ .PP
+\fBusersubstr=\fR\fB\fIN\fR\fR
+.RS 4
+Reject passwords which contain any substring of N or more consecutive characters of the user\*(Aqs name straight or in
+reverse order\&.
+N must be at least 4 for this to be applicable\&.
+Also, usernames shorter than N are not checked\&.
+If such a substring is found, the password is rejected\&.
+.RE
+.PP
+ \fBgecoscheck\fR
+ .RS 4
+ Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password\&. If any such word is found the new password is rejected\&.
+Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8.xml
+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
+@@ -396,6 +396,21 @@
+           </listitem>
+         </varlistentry>
+ 
+       <varlistentry>
+         <term>
+           <option>usersubstr=<replaceable>N</replaceable></option>
+         </term>
+         <listitem>
+           <para>
+             Reject passwords which contain any substring of N or more
+             consecutive characters of the user's name straight or in
+             reverse order. N must be at least 4 for this to be applicable.
+             Also, usernames shorter than N are not checked.
+             If such a substring is found, the password is rejected.
+           </para>
+          </listitem>
+       </varlistentry>
+
+         <varlistentry>
+           <term>
+             <option>gecoscheck</option>
 Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 ===================================================================
 --- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
@ -10,15 +114,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
         const char *cracklib_dictpath;
 };
 
-@@ -100,6 +101,7 @@ struct cracklib_options {
- #define CO_LOW_CREDIT   1
- #define CO_OTH_CREDIT   1
- #define CO_MIN_WORD_LENGTH 4
-+#define CO_MIN_WORD_LENGTH      4
- 
- static int
- _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
-@@ -185,6 +187,10 @@ _pam_parse (pam_handle_t *pamh, struct c
+@@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c
 	     if (!*(opt->cracklib_dictpath)) {
 		 opt->cracklib_dictpath = CRACKLIB_DICTS;
 	     }
@ -29,38 +125,37 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 	 } else {
 	     pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
 	 }
-@@ -525,13 +531,54 @@ static int wordcheck(const char *new, ch
+@@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch
     return 0;
 }
 
-static int usercheck(struct cracklib_options *opt, const char *new,
 +/*
 + * RETURNS: True if the password is unacceptable, else false
 + */
-+static int usersubstr(pam_handle_t *pamh, int len, const char *new, char *user)
+static int usersubstr(int len, const char *new, char *user)
 +{
 +    int i, userlen;
-+    int bad = 0;	// Assume it's OK unless proven otherwise
+    int bad = 0;       // Assume it's OK unless proven otherwise
 +    char *subuser = calloc(len+1, sizeof(char));
 +
 +    if (subuser == NULL) {
-+	return 1;
+       return 1;
 +    }
 +
 +    userlen = strlen(user);
 +
 +    if (len >= CO_MIN_WORD_LENGTH &&
-+	    userlen > len) {
-+	for(i = 0; !bad && (i <= userlen - len); i++) {
-+	    strncpy(subuser, user+i, len+1);
-+	    subuser[len] = '\0';
-+	    bad = wordcheck(new, subuser);
-+	}
+	   userlen > len) {
+       for(i = 0; !bad && (i <= userlen - len); i++) {
+	   strncpy(subuser, user+i, len+1);
+	   subuser[len] = '\0';
+	   bad = wordcheck(new, subuser);
+       }
 +    } else {
-+	// if we already tested substrings, there's no need to test
-+	// the whole username; all substrings would've been found :)
-+	if (!bad)
-+	    bad = wordcheck(new, user);
+       // if we already tested substrings, there's no need to test
+       // the whole username; all substrings would've been found :)
+       if (!bad)
+	   bad = wordcheck(new, user);
 +    }
 +
 +    free(subuser);
@ -71,7 +166,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 +/*
 + * RETURNS: True if the password is unacceptable, else false
 + */
-+static int usercheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new,
+ static int usercheck(struct cracklib_options *opt, const char *new,
 		     char *user)
 {
 -    if (!opt->reject_user)
@ -79,21 +174,12 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 +    int bad = 0;
 +
 +    if (opt->reject_user)
-+        bad = wordcheck(new, user);
+	bad = wordcheck(new, user);
 +    if (!bad && opt->user_substr != 0)
-+       bad = usersubstr(pamh, opt->user_substr, new, user);
+	bad = usersubstr(opt->user_substr, new, user);
 
 -    return wordcheck(new, user);
 +    return bad;
 }
 
 static char * str_lower(char *string)
-@@ -646,7 +693,7 @@ static const char *password_check(pam_ha
- 	if (!msg && sequence(opt, new))
- 	        msg = _("contains too long of a monotonic character sequence");
- 
-	if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
-+	if (!msg && (usercheck(pamh, opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
- 	        msg = _("contains the user name in some form");
- 
- 	free(usermono);