pool/pam
SHA256
3
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 849441 from home:jmoellers:branches:Linux-PAM

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/849441
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=227
This commit is contained in:
Josef Möllers 2020-11-19 13:56:42 +00:00 committed by Git OBS Bridge
parent 94ef2ca6a9
commit 6c61940629
1 changed files with 122 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
pam-pam_cracklib-add-usersubstr.patch
View File

@ -1,3 +1,107 @@
Index: Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
===================================================================
--- Linux-PAM-1.4.0.orig/doc/sag/Linux-PAM_SAG.txt
+++ Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
@@ -1003,6 +1003,14 @@ reject_username
Check whether the name of the user in straight or reversed form is
contained in the new password. If it is found the new password is rejected.
+usersubstr=N
+
+ Reject passwords which contain any substring of N or more consecutive
+ characters of the user's name straight or in reverse order.
+ N must be at least 4 for this to be applicable.
+ Also, usernames shorter than N are not checked.
+ If such a substring is found, the password is rejected.
+
gecoscheck
Check whether the words from the GECOS field (usually full name of the
Index: Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
===================================================================
--- Linux-PAM-1.4.0.orig/doc/sag/html/sag-pam_cracklib.html
+++ Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
@@ -198,6 +198,15 @@
form is contained in the new password. If it is found the
new password is rejected.
</p></dd><dt><span class="term">
+ <code class="option">usersubstr=<em class="replaceable"><code>N</code></em></code>
+ </span></dt><dd><p>
+ Reject passwords which contain any substring of N or more
+ consecutive characters of the user's name straight or in
+ reverse order.
+ N must be at least 4 for this to be applicable.
+ Also, usernames shorter than N are not checked.
+ If such a substring is found, the password is rejected.
+ </p></dd><dt><span class="term">
<code class="option">gecoscheck</code>
</span></dt><dd><p>
Check whether the words from the GECOS field (usually full name
Index: Linux-PAM-1.4.0/modules/pam_cracklib/README
===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/README
+++ Linux-PAM-1.4.0/modules/pam_cracklib/README
@@ -179,6 +179,14 @@ reject_username
Check whether the name of the user in straight or reversed form is
contained in the new password. If it is found the new password is rejected.
+usersubstr=N
+
+ Reject passwords which contain any substring of N or more consecutive
+ characters of the user's name straight or in reverse order.
+ N must be at least 4 for this to be applicable.
+ Also, usernames shorter than N are not checked.
+ If such a substring is found, the password is rejected.
+
gecoscheck
Check whether the words from the GECOS field (usually full name of the
Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8
+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
@@ -232,6 +232,15 @@ Reject passwords which contain more than
Check whether the name of the user in straight or reversed form is contained in the new password\&. If it is found the new password is rejected\&.
.RE
.PP
+\fBusersubstr=\fR\fB\fIN\fR\fR
+.RS 4
+Reject passwords which contain any substring of N or more consecutive characters of the user\*(Aqs name straight or in
+reverse order\&.
+N must be at least 4 for this to be applicable\&.
+Also, usernames shorter than N are not checked\&.
+If such a substring is found, the password is rejected\&.
+.RE
+.PP
\fBgecoscheck\fR
.RS 4
Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password\&. If any such word is found the new password is rejected\&.
Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8.xml
+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
@@ -396,6 +396,21 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>usersubstr=<replaceable>N</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Reject passwords which contain any substring of N or more
+ consecutive characters of the user's name straight or in
+ reverse order. N must be at least 4 for this to be applicable.
+ Also, usernames shorter than N are not checked.
+ If such a substring is found, the password is rejected.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>
<option>gecoscheck</option>
Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
=================================================================== ===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c --- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
@ -10,15 +114,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
const char *cracklib_dictpath; const char *cracklib_dictpath;
}; };
@@ -100,6 +101,7 @@ struct cracklib_options { @@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c
#define CO_LOW_CREDIT 1
#define CO_OTH_CREDIT 1
#define CO_MIN_WORD_LENGTH 4
+#define CO_MIN_WORD_LENGTH 4
static int
_pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
@@ -185,6 +187,10 @@ _pam_parse (pam_handle_t *pamh, struct c
if (!*(opt->cracklib_dictpath)) { if (!*(opt->cracklib_dictpath)) {
opt->cracklib_dictpath = CRACKLIB_DICTS; opt->cracklib_dictpath = CRACKLIB_DICTS;
} }
@ -29,38 +125,37 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
} else { } else {
pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv); pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
} }
@@ -525,13 +531,54 @@ static int wordcheck(const char *new, ch @@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch
return 0; return 0;
} }
-static int usercheck(struct cracklib_options *opt, const char *new,
+/* +/*
+ * RETURNS: True if the password is unacceptable, else false + * RETURNS: True if the password is unacceptable, else false
+ */ + */
+static int usersubstr(pam_handle_t *pamh, int len, const char *new, char *user) +static int usersubstr(int len, const char *new, char *user)
+{ +{
+ int i, userlen; + int i, userlen;
+ int bad = 0; // Assume it's OK unless proven otherwise + int bad = 0; // Assume it's OK unless proven otherwise
+ char *subuser = calloc(len+1, sizeof(char)); + char *subuser = calloc(len+1, sizeof(char));
+ +
+ if (subuser == NULL) { + if (subuser == NULL) {
+ return 1; + return 1;
+ } + }
+ +
+ userlen = strlen(user); + userlen = strlen(user);
+ +
+ if (len >= CO_MIN_WORD_LENGTH && + if (len >= CO_MIN_WORD_LENGTH &&
+ userlen > len) { + userlen > len) {
+ for(i = 0; !bad && (i <= userlen - len); i++) { + for(i = 0; !bad && (i <= userlen - len); i++) {
+ strncpy(subuser, user+i, len+1); + strncpy(subuser, user+i, len+1);
+ subuser[len] = '\0'; + subuser[len] = '\0';
+ bad = wordcheck(new, subuser); + bad = wordcheck(new, subuser);
+ } + }
+ } else { + } else {
+ // if we already tested substrings, there's no need to test + // if we already tested substrings, there's no need to test
+ // the whole username; all substrings would've been found :) + // the whole username; all substrings would've been found :)
+ if (!bad) + if (!bad)
+ bad = wordcheck(new, user); + bad = wordcheck(new, user);
+ } + }
+ +
+ free(subuser); + free(subuser);
@ -71,7 +166,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
+/* +/*
+ * RETURNS: True if the password is unacceptable, else false + * RETURNS: True if the password is unacceptable, else false
+ */ + */
+static int usercheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new, static int usercheck(struct cracklib_options *opt, const char *new,
char *user) char *user)
{ {
- if (!opt->reject_user) - if (!opt->reject_user)
@ -79,21 +174,12 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
+ int bad = 0; + int bad = 0;
+ +
+ if (opt->reject_user) + if (opt->reject_user)
+ bad = wordcheck(new, user); + bad = wordcheck(new, user);
+ if (!bad && opt->user_substr != 0) + if (!bad && opt->user_substr != 0)
+ bad = usersubstr(pamh, opt->user_substr, new, user); + bad = usersubstr(opt->user_substr, new, user);
- return wordcheck(new, user); - return wordcheck(new, user);
+ return bad; + return bad;
} }
static char * str_lower(char *string) static char * str_lower(char *string)
@@ -646,7 +693,7 @@ static const char *password_check(pam_ha
if (!msg && sequence(opt, new))
msg = _("contains too long of a monotonic character sequence");
- if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
+ if (!msg && (usercheck(pamh, opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
msg = _("contains the user name in some form");
free(usermono);