Accepting request 849441 from home:jmoellers:branches:Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/849441 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=227
2020-11-19 13:56:42 +00:00 · 2020-11-19 13:56:42 +00:00 · 6c61940629
commit 6c61940629
parent 94ef2ca6a9
1 changed files with 122 additions and 36 deletions
--- a/pam-pam_cracklib-add-usersubstr.patch
+++ b/pam-pam_cracklib-add-usersubstr.patch
@ -1,3 +1,107 @@
 Index: Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
 ===================================================================
 --- Linux-PAM-1.4.0.orig/doc/sag/Linux-PAM_SAG.txt
 +++ Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
@@ -1003,6 +1003,14 @@ reject_username
     Check whether the name of the user in straight or reversed form is
     contained in the new password. If it is found the new password is rejected.
 +usersubstr=N
 +
 +    Reject passwords which contain any substring of N or more consecutive
 +    characters of the user's name straight or in reverse order.
 +    N must be at least 4 for this to be applicable.
 +    Also, usernames shorter than N are not checked.
 +    If such a substring is found, the password is rejected.
 +
 gecoscheck
     Check whether the words from the GECOS field (usually full name of the
 Index: Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
 ===================================================================
 --- Linux-PAM-1.4.0.orig/doc/sag/html/sag-pam_cracklib.html
 +++ Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
@@ -198,6 +198,15 @@
               form is contained in the new password. If it is found the
               new password is rejected.
             </p></dd><dt><span class="term">
 +            <code class="option">usersubstr=<em class="replaceable"><code>N</code></em></code>
 +          </span></dt><dd><p>
 +             Reject passwords which contain any substring of N or more
 +             consecutive characters of the user's name straight or in
 +             reverse order.
 +             N must be at least 4 for this to be applicable.
 +             Also, usernames shorter than N are not checked.
 +             If such a substring is found, the password is rejected.
 +            </p></dd><dt><span class="term">
             <code class="option">gecoscheck</code>
           </span></dt><dd><p>
               Check whether the words from the GECOS field (usually full name
 Index: Linux-PAM-1.4.0/modules/pam_cracklib/README
 ===================================================================
 --- Linux-PAM-1.4.0.orig/modules/pam_cracklib/README
 +++ Linux-PAM-1.4.0/modules/pam_cracklib/README
@@ -179,6 +179,14 @@ reject_username
     Check whether the name of the user in straight or reversed form is
     contained in the new password. If it is found the new password is rejected.
 +usersubstr=N
 +
 +    Reject passwords which contain any substring of N or more consecutive
 +    characters of the user's name straight or in reverse order.
 +    N must be at least 4 for this to be applicable.
 +    Also, usernames shorter than N are not checked.
 +    If such a substring is found, the password is rejected.
 +
 gecoscheck
     Check whether the words from the GECOS field (usually full name of the
 Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
 ===================================================================
 --- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8
 +++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
@@ -232,6 +232,15 @@ Reject passwords which contain more than
 Check whether the name of the user in straight or reversed form is contained in the new password\&. If it is found the new password is rejected\&.
 .RE
 .PP
 +\fBusersubstr=\fR\fB\fIN\fR\fR
 +.RS 4
 +Reject passwords which contain any substring of N or more consecutive characters of the user\*(Aqs name straight or in
 +reverse order\&.
 +N must be at least 4 for this to be applicable\&.
 +Also, usernames shorter than N are not checked\&.
 +If such a substring is found, the password is rejected\&.
 +.RE
 +.PP
 \fBgecoscheck\fR
 .RS 4
 Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password\&. If any such word is found the new password is rejected\&.
 Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
 ===================================================================
 --- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8.xml
 +++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
@@ -396,6 +396,21 @@
           </listitem>
         </varlistentry>
 +       <varlistentry>
 +         <term>
 +           <option>usersubstr=<replaceable>N</replaceable></option>
 +         </term>
 +         <listitem>
 +           <para>
 +             Reject passwords which contain any substring of N or more
 +             consecutive characters of the user's name straight or in
 +             reverse order. N must be at least 4 for this to be applicable.
 +             Also, usernames shorter than N are not checked.
 +             If such a substring is found, the password is rejected.
 +           </para>
 +          </listitem>
 +       </varlistentry>
 +
         <varlistentry>
           <term>
             <option>gecoscheck</option>
 Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 ===================================================================
 --- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
@ -10,15 +114,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
         const char *cracklib_dictpath;
 };
-@@ -100,6 +101,7 @@ struct cracklib_options {
+@@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c
 #define CO_LOW_CREDIT   1
 #define CO_OTH_CREDIT   1
 #define CO_MIN_WORD_LENGTH 4
 +#define CO_MIN_WORD_LENGTH      4
 static int
 _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
@@ -185,6 +187,10 @@ _pam_parse (pam_handle_t *pamh, struct c
 	     if (!*(opt->cracklib_dictpath)) {
 		 opt->cracklib_dictpath = CRACKLIB_DICTS;
 	     }
@ -29,15 +125,14 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 	 } else {
 	     pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
 	 }
-@@ -525,13 +531,54 @@ static int wordcheck(const char *new, ch
+@@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch
     return 0;
 }
 -static int usercheck(struct cracklib_options *opt, const char *new,
 +/*
 + * RETURNS: True if the password is unacceptable, else false
 + */
-+static int usersubstr(pam_handle_t *pamh, int len, const char *new, char *user)
+static int usersubstr(int len, const char *new, char *user)
 +{
 +    int i, userlen;
 +    int bad = 0;       // Assume it's OK unless proven otherwise
@ -71,7 +166,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 +/*
 + * RETURNS: True if the password is unacceptable, else false
 + */
-+static int usercheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new,
+ static int usercheck(struct cracklib_options *opt, const char *new,
 		     char *user)
 {
 -    if (!opt->reject_user)
@ -81,19 +176,10 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 +    if (opt->reject_user)
 +	bad = wordcheck(new, user);
 +    if (!bad && opt->user_substr != 0)
-+       bad = usersubstr(pamh, opt->user_substr, new, user);
+	bad = usersubstr(opt->user_substr, new, user);
 -    return wordcheck(new, user);
 +    return bad;
 }
 static char * str_lower(char *string)
@@ -646,7 +693,7 @@ static const char *password_check(pam_ha
 	if (!msg && sequence(opt, new))
 	        msg = _("contains too long of a monotonic character sequence");
 -	if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
 +	if (!msg && (usercheck(pamh, opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
 	        msg = _("contains the user name in some form");
 	free(usermono);