From 6c6194062905a9498a5a2f4268283e23d6e5a569e62fe4bcc98e40172c20ccfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josef=20M=C3=B6llers?= <josef.moellers@suse.com>
Date: Thu, 19 Nov 2020 13:56:42 +0000
Subject: [PATCH] Accepting request 849441 from
 home:jmoellers:branches:Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/849441
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=227
---
 pam-pam_cracklib-add-usersubstr.patch | 158 ++++++++++++++++++++------
 1 file changed, 122 insertions(+), 36 deletions(-)

diff --git a/pam-pam_cracklib-add-usersubstr.patch b/pam-pam_cracklib-add-usersubstr.patch
index 977af32..b3f55b1 100644
--- a/pam-pam_cracklib-add-usersubstr.patch
+++ b/pam-pam_cracklib-add-usersubstr.patch
@@ -1,3 +1,107 @@
+Index: Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
+===================================================================
+--- Linux-PAM-1.4.0.orig/doc/sag/Linux-PAM_SAG.txt
++++ Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
+@@ -1003,6 +1003,14 @@ reject_username
+     Check whether the name of the user in straight or reversed form is
+     contained in the new password. If it is found the new password is rejected.
+ 
++usersubstr=N
++
++    Reject passwords which contain any substring of N or more consecutive
++    characters of the user's name straight or in reverse order.
++    N must be at least 4 for this to be applicable.
++    Also, usernames shorter than N are not checked.
++    If such a substring is found, the password is rejected.
++
+ gecoscheck
+ 
+     Check whether the words from the GECOS field (usually full name of the
+Index: Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
+===================================================================
+--- Linux-PAM-1.4.0.orig/doc/sag/html/sag-pam_cracklib.html
++++ Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
+@@ -198,6 +198,15 @@
+               form is contained in the new password. If it is found the
+               new password is rejected.
+             </p></dd><dt><span class="term">
++            <code class="option">usersubstr=<em class="replaceable"><code>N</code></em></code>
++          </span></dt><dd><p>
++             Reject passwords which contain any substring of N or more
++             consecutive characters of the user's name straight or in
++             reverse order.
++             N must be at least 4 for this to be applicable.
++             Also, usernames shorter than N are not checked.
++             If such a substring is found, the password is rejected.
++            </p></dd><dt><span class="term">
+             <code class="option">gecoscheck</code>
+           </span></dt><dd><p>
+               Check whether the words from the GECOS field (usually full name
+Index: Linux-PAM-1.4.0/modules/pam_cracklib/README
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/README
++++ Linux-PAM-1.4.0/modules/pam_cracklib/README
+@@ -179,6 +179,14 @@ reject_username
+     Check whether the name of the user in straight or reversed form is
+     contained in the new password. If it is found the new password is rejected.
+ 
++usersubstr=N
++
++    Reject passwords which contain any substring of N or more consecutive
++    characters of the user's name straight or in reverse order.
++    N must be at least 4 for this to be applicable.
++    Also, usernames shorter than N are not checked.
++    If such a substring is found, the password is rejected.
++
+ gecoscheck
+ 
+     Check whether the words from the GECOS field (usually full name of the
+Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8
++++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
+@@ -232,6 +232,15 @@ Reject passwords which contain more than
+ Check whether the name of the user in straight or reversed form is contained in the new password\&. If it is found the new password is rejected\&.
+ .RE
+ .PP
++\fBusersubstr=\fR\fB\fIN\fR\fR
++.RS 4
++Reject passwords which contain any substring of N or more consecutive characters of the user\*(Aqs name straight or in
++reverse order\&.
++N must be at least 4 for this to be applicable\&.
++Also, usernames shorter than N are not checked\&.
++If such a substring is found, the password is rejected\&.
++.RE
++.PP
+ \fBgecoscheck\fR
+ .RS 4
+ Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password\&. If any such word is found the new password is rejected\&.
+Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8.xml
++++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
+@@ -396,6 +396,21 @@
+           </listitem>
+         </varlistentry>
+ 
++       <varlistentry>
++         <term>
++           <option>usersubstr=<replaceable>N</replaceable></option>
++         </term>
++         <listitem>
++           <para>
++             Reject passwords which contain any substring of N or more
++             consecutive characters of the user's name straight or in
++             reverse order. N must be at least 4 for this to be applicable.
++             Also, usernames shorter than N are not checked.
++             If such a substring is found, the password is rejected.
++           </para>
++          </listitem>
++       </varlistentry>
++
+         <varlistentry>
+           <term>
+             <option>gecoscheck</option>
 Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 ===================================================================
 --- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
@@ -10,15 +114,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
          const char *cracklib_dictpath;
  };
  
-@@ -100,6 +101,7 @@ struct cracklib_options {
- #define CO_LOW_CREDIT   1
- #define CO_OTH_CREDIT   1
- #define CO_MIN_WORD_LENGTH 4
-+#define CO_MIN_WORD_LENGTH      4
- 
- static int
- _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
-@@ -185,6 +187,10 @@ _pam_parse (pam_handle_t *pamh, struct c
+@@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c
  	     if (!*(opt->cracklib_dictpath)) {
  		 opt->cracklib_dictpath = CRACKLIB_DICTS;
  	     }
@@ -29,38 +125,37 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
  	 } else {
  	     pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
  	 }
-@@ -525,13 +531,54 @@ static int wordcheck(const char *new, ch
+@@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch
      return 0;
  }
  
--static int usercheck(struct cracklib_options *opt, const char *new,
 +/*
 + * RETURNS: True if the password is unacceptable, else false
 + */
-+static int usersubstr(pam_handle_t *pamh, int len, const char *new, char *user)
++static int usersubstr(int len, const char *new, char *user)
 +{
 +    int i, userlen;
-+    int bad = 0;	// Assume it's OK unless proven otherwise
++    int bad = 0;       // Assume it's OK unless proven otherwise
 +    char *subuser = calloc(len+1, sizeof(char));
 +
 +    if (subuser == NULL) {
-+	return 1;
++       return 1;
 +    }
 +
 +    userlen = strlen(user);
 +
 +    if (len >= CO_MIN_WORD_LENGTH &&
-+	    userlen > len) {
-+	for(i = 0; !bad && (i <= userlen - len); i++) {
-+	    strncpy(subuser, user+i, len+1);
-+	    subuser[len] = '\0';
-+	    bad = wordcheck(new, subuser);
-+	}
++	   userlen > len) {
++       for(i = 0; !bad && (i <= userlen - len); i++) {
++	   strncpy(subuser, user+i, len+1);
++	   subuser[len] = '\0';
++	   bad = wordcheck(new, subuser);
++       }
 +    } else {
-+	// if we already tested substrings, there's no need to test
-+	// the whole username; all substrings would've been found :)
-+	if (!bad)
-+	    bad = wordcheck(new, user);
++       // if we already tested substrings, there's no need to test
++       // the whole username; all substrings would've been found :)
++       if (!bad)
++	   bad = wordcheck(new, user);
 +    }
 +
 +    free(subuser);
@@ -71,7 +166,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 +/*
 + * RETURNS: True if the password is unacceptable, else false
 + */
-+static int usercheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new,
+ static int usercheck(struct cracklib_options *opt, const char *new,
  		     char *user)
  {
 -    if (!opt->reject_user)
@@ -79,21 +174,12 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 +    int bad = 0;
 +
 +    if (opt->reject_user)
-+        bad = wordcheck(new, user);
++	bad = wordcheck(new, user);
 +    if (!bad && opt->user_substr != 0)
-+       bad = usersubstr(pamh, opt->user_substr, new, user);
++	bad = usersubstr(opt->user_substr, new, user);
  
 -    return wordcheck(new, user);
 +    return bad;
  }
  
  static char * str_lower(char *string)
-@@ -646,7 +693,7 @@ static const char *password_check(pam_ha
- 	if (!msg && sequence(opt, new))
- 	        msg = _("contains too long of a monotonic character sequence");
- 
--	if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
-+	if (!msg && (usercheck(pamh, opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
- 	        msg = _("contains the user name in some form");
- 
- 	free(usermono);