Accepting request 849441 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/849441 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=227
This commit is contained in:
Josef Möllers
Git OBS Bridge
parent
94ef2ca6a9
commit
6c61940629
@ -1,3 +1,107 @@
|
||||
Index: Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
|
||||
===================================================================
|
||||
--- Linux-PAM-1.4.0.orig/doc/sag/Linux-PAM_SAG.txt
|
||||
+++ Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
|
||||
@@ -1003,6 +1003,14 @@ reject_username
|
||||
Check whether the name of the user in straight or reversed form is
|
||||
contained in the new password. If it is found the new password is rejected.
|
||||
|
||||
+usersubstr=N
|
||||
+
|
||||
+ Reject passwords which contain any substring of N or more consecutive
|
||||
+ characters of the user's name straight or in reverse order.
|
||||
+ N must be at least 4 for this to be applicable.
|
||||
+ Also, usernames shorter than N are not checked.
|
||||
+ If such a substring is found, the password is rejected.
|
||||
+
|
||||
gecoscheck
|
||||
|
||||
Check whether the words from the GECOS field (usually full name of the
|
||||
Index: Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
|
||||
===================================================================
|
||||
--- Linux-PAM-1.4.0.orig/doc/sag/html/sag-pam_cracklib.html
|
||||
+++ Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
|
||||
@@ -198,6 +198,15 @@
|
||||
form is contained in the new password. If it is found the
|
||||
new password is rejected.
|
||||
</p></dd><dt><span class="term">
|
||||
+ <code class="option">usersubstr=<em class="replaceable"><code>N</code></em></code>
|
||||
+ </span></dt><dd><p>
|
||||
+ Reject passwords which contain any substring of N or more
|
||||
+ consecutive characters of the user's name straight or in
|
||||
+ reverse order.
|
||||
+ N must be at least 4 for this to be applicable.
|
||||
+ Also, usernames shorter than N are not checked.
|
||||
+ If such a substring is found, the password is rejected.
|
||||
+ </p></dd><dt><span class="term">
|
||||
<code class="option">gecoscheck</code>
|
||||
</span></dt><dd><p>
|
||||
Check whether the words from the GECOS field (usually full name
|
||||
Index: Linux-PAM-1.4.0/modules/pam_cracklib/README
|
||||
===================================================================
|
||||
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/README
|
||||
+++ Linux-PAM-1.4.0/modules/pam_cracklib/README
|
||||
@@ -179,6 +179,14 @@ reject_username
|
||||
Check whether the name of the user in straight or reversed form is
|
||||
contained in the new password. If it is found the new password is rejected.
|
||||
|
||||
+usersubstr=N
|
||||
+
|
||||
+ Reject passwords which contain any substring of N or more consecutive
|
||||
+ characters of the user's name straight or in reverse order.
|
||||
+ N must be at least 4 for this to be applicable.
|
||||
+ Also, usernames shorter than N are not checked.
|
||||
+ If such a substring is found, the password is rejected.
|
||||
+
|
||||
gecoscheck
|
||||
|
||||
Check whether the words from the GECOS field (usually full name of the
|
||||
Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
|
||||
===================================================================
|
||||
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8
|
||||
+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
|
||||
@@ -232,6 +232,15 @@ Reject passwords which contain more than
|
||||
Check whether the name of the user in straight or reversed form is contained in the new password\&. If it is found the new password is rejected\&.
|
||||
.RE
|
||||
.PP
|
||||
+\fBusersubstr=\fR\fB\fIN\fR\fR
|
||||
+.RS 4
|
||||
+Reject passwords which contain any substring of N or more consecutive characters of the user\*(Aqs name straight or in
|
||||
+reverse order\&.
|
||||
+N must be at least 4 for this to be applicable\&.
|
||||
+Also, usernames shorter than N are not checked\&.
|
||||
+If such a substring is found, the password is rejected\&.
|
||||
+.RE
|
||||
+.PP
|
||||
\fBgecoscheck\fR
|
||||
.RS 4
|
||||
Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password\&. If any such word is found the new password is rejected\&.
|
||||
Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
|
||||
===================================================================
|
||||
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8.xml
|
||||
+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
|
||||
@@ -396,6 +396,21 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>usersubstr=<replaceable>N</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Reject passwords which contain any substring of N or more
|
||||
+ consecutive characters of the user's name straight or in
|
||||
+ reverse order. N must be at least 4 for this to be applicable.
|
||||
+ Also, usernames shorter than N are not checked.
|
||||
+ If such a substring is found, the password is rejected.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>
|
||||
<option>gecoscheck</option>
|
||||
Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
|
||||
===================================================================
|
||||
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
|
||||
@ -10,15 +114,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
|
||||
const char *cracklib_dictpath;
|
||||
};
|
||||
|
||||
@@ -100,6 +101,7 @@ struct cracklib_options {
|
||||
#define CO_LOW_CREDIT 1
|
||||
#define CO_OTH_CREDIT 1
|
||||
#define CO_MIN_WORD_LENGTH 4
|
||||
+#define CO_MIN_WORD_LENGTH 4
|
||||
|
||||
static int
|
||||
_pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
|
||||
@@ -185,6 +187,10 @@ _pam_parse (pam_handle_t *pamh, struct c
|
||||
@@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c
|
||||
if (!*(opt->cracklib_dictpath)) {
|
||||
opt->cracklib_dictpath = CRACKLIB_DICTS;
|
||||
}
|
||||
@ -29,38 +125,37 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
|
||||
} else {
|
||||
pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
|
||||
}
|
||||
@@ -525,13 +531,54 @@ static int wordcheck(const char *new, ch
|
||||
@@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int usercheck(struct cracklib_options *opt, const char *new,
|
||||
+/*
|
||||
+ * RETURNS: True if the password is unacceptable, else false
|
||||
+ */
|
||||
+static int usersubstr(pam_handle_t *pamh, int len, const char *new, char *user)
|
||||
+static int usersubstr(int len, const char *new, char *user)
|
||||
+{
|
||||
+ int i, userlen;
|
||||
+ int bad = 0; // Assume it's OK unless proven otherwise
|
||||
+ int bad = 0; // Assume it's OK unless proven otherwise
|
||||
+ char *subuser = calloc(len+1, sizeof(char));
|
||||
+
|
||||
+ if (subuser == NULL) {
|
||||
+ return 1;
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
+ userlen = strlen(user);
|
||||
+
|
||||
+ if (len >= CO_MIN_WORD_LENGTH &&
|
||||
+ userlen > len) {
|
||||
+ for(i = 0; !bad && (i <= userlen - len); i++) {
|
||||
+ strncpy(subuser, user+i, len+1);
|
||||
+ subuser[len] = '\0';
|
||||
+ bad = wordcheck(new, subuser);
|
||||
+ }
|
||||
+ userlen > len) {
|
||||
+ for(i = 0; !bad && (i <= userlen - len); i++) {
|
||||
+ strncpy(subuser, user+i, len+1);
|
||||
+ subuser[len] = '\0';
|
||||
+ bad = wordcheck(new, subuser);
|
||||
+ }
|
||||
+ } else {
|
||||
+ // if we already tested substrings, there's no need to test
|
||||
+ // the whole username; all substrings would've been found :)
|
||||
+ if (!bad)
|
||||
+ bad = wordcheck(new, user);
|
||||
+ // if we already tested substrings, there's no need to test
|
||||
+ // the whole username; all substrings would've been found :)
|
||||
+ if (!bad)
|
||||
+ bad = wordcheck(new, user);
|
||||
+ }
|
||||
+
|
||||
+ free(subuser);
|
||||
@ -71,7 +166,7 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
|
||||
+/*
|
||||
+ * RETURNS: True if the password is unacceptable, else false
|
||||
+ */
|
||||
+static int usercheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new,
|
||||
static int usercheck(struct cracklib_options *opt, const char *new,
|
||||
char *user)
|
||||
{
|
||||
- if (!opt->reject_user)
|
||||
@ -79,21 +174,12 @@ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
|
||||
+ int bad = 0;
|
||||
+
|
||||
+ if (opt->reject_user)
|
||||
+ bad = wordcheck(new, user);
|
||||
+ bad = wordcheck(new, user);
|
||||
+ if (!bad && opt->user_substr != 0)
|
||||
+ bad = usersubstr(pamh, opt->user_substr, new, user);
|
||||
+ bad = usersubstr(opt->user_substr, new, user);
|
||||
|
||||
- return wordcheck(new, user);
|
||||
+ return bad;
|
||||
}
|
||||
|
||||
static char * str_lower(char *string)
|
||||
@@ -646,7 +693,7 @@ static const char *password_check(pam_ha
|
||||
if (!msg && sequence(opt, new))
|
||||
msg = _("contains too long of a monotonic character sequence");
|
||||
|
||||
- if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
|
||||
+ if (!msg && (usercheck(pamh, opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
|
||||
msg = _("contains the user name in some form");
|
||||
|
||||
free(usermono);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user