Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | diff -urNp pam_passwdqc-1.0.5-orig/pam_passwdqc.c pam_passwdqc-1.0.5/pam_passwdqc.c |
| 2 | --- pam_passwdqc-1.0.5-orig/pam_passwdqc.c 2008-02-12 15:11:13.000000000 -0500 |
| 3 | +++ pam_passwdqc-1.0.5/pam_passwdqc.c 2009-09-28 12:10:32.171696694 -0400 |
| 4 | @@ -70,6 +70,8 @@ typedef struct { |
| 5 | passwdqc_params_t qc; |
| 6 | int flags; |
| 7 | int retry; |
| 8 | + char oldpass_prompt_file[FILE_LEN+1]; |
| 9 | + char newpass_prompt_file[FILE_LEN+1]; |
| 10 | } params_t; |
| 11 | |
| 12 | static params_t defaults = { |
| 13 | @@ -79,10 +81,13 @@ static params_t defaults = { |
| 14 | 3, /* passphrase_words */ |
| 15 | 4, /* match_length */ |
| 16 | 1, /* similar_deny */ |
| 17 | - 42 /* random_bits */ |
| 18 | + 42, /* random_bits */ |
| 19 | + 1 /* firstupper_lastdigit_check */ |
| 20 | }, |
| 21 | F_ENFORCE_EVERYONE, /* flags */ |
| 22 | - 3 /* retry */ |
| 23 | + 3, /* retry */ |
| 24 | + "", /* oldpass_prompt_file */ |
| 25 | + "" /* newpass_prompt_file */ |
| 26 | }; |
| 27 | |
| 28 | #define PROMPT_OLDPASS \ |
| 29 | @@ -361,6 +366,37 @@ static int parse(params_t *params, pam_h |
| 30 | if (!strcmp(*argv, "use_authtok")) { |
| 31 | params->flags |= F_USE_AUTHTOK; |
| 32 | } else |
| 33 | + if (!strcmp(*argv, "disable_firstupper_lastdigit_check")) { |
| 34 | + params->qc.firstupper_lastdigit_check = 0; |
| 35 | + } else |
| 36 | + if (!strncmp(*argv, "oldpass_prompt_file=", 20)) { |
| 37 | + int n; |
| 38 | + FILE *fp = fopen(*argv + 20, "r"); |
| 39 | + if (fp) { |
| 40 | + n=fread(params->oldpass_prompt_file, sizeof(char), FILE_LEN, fp); |
| 41 | + if (0==n || ferror(fp)!=0 ) { |
| 42 | + memset(params->oldpass_prompt_file, '\0', FILE_LEN+1); |
| 43 | + } |
| 44 | + else { |
| 45 | + feof(fp)? (params->oldpass_prompt_file[n-1]='\0'): (params->oldpass_prompt_file[n]='\0'); |
| 46 | + } |
| 47 | + fclose(fp); |
| 48 | + } |
| 49 | + } else |
| 50 | + if (!strncmp(*argv, "newpass_prompt_file=", 20)) { |
| 51 | + int n; |
| 52 | + FILE *fp = fopen(*argv + 20, "r"); |
| 53 | + if (fp) { |
| 54 | + n=fread(params->newpass_prompt_file, sizeof(char), FILE_LEN, fp); |
| 55 | + if (0==n || ferror(fp)!=0 ) { |
| 56 | + memset(params->newpass_prompt_file, '\0', FILE_LEN+1); |
| 57 | + } |
| 58 | + else { |
| 59 | + feof(fp)? (params->newpass_prompt_file[n-1]='\0'): (params->newpass_prompt_file[n]='\0'); |
| 60 | + } |
| 61 | + fclose(fp); |
| 62 | + } |
| 63 | + } else |
| 64 | break; |
| 65 | argc--; argv++; |
| 66 | } |
| 67 | @@ -406,7 +442,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand |
| 68 | |
| 69 | if (ask_oldauthtok && !am_root(pamh)) { |
| 70 | status = converse(pamh, PAM_PROMPT_ECHO_OFF, |
| 71 | - PROMPT_OLDPASS, &resp); |
| 72 | + strlen(params.oldpass_prompt_file) ? params.oldpass_prompt_file : PROMPT_OLDPASS, &resp); |
| 73 | |
| 74 | if (status == PAM_SUCCESS) { |
| 75 | if (resp && resp->resp) { |
| 76 | @@ -540,8 +576,7 @@ retry: |
| 77 | MESSAGE_RANDOMFAILED : MESSAGE_MISCONFIGURED); |
| 78 | return PAM_AUTHTOK_ERR; |
| 79 | } |
| 80 | - |
| 81 | - status = converse(pamh, PAM_PROMPT_ECHO_OFF, PROMPT_NEWPASS1, &resp); |
| 82 | + status = converse(pamh, PAM_PROMPT_ECHO_OFF, strlen(params.newpass_prompt_file) ? params.newpass_prompt_file : PROMPT_NEWPASS1, &resp); |
| 83 | if (status == PAM_SUCCESS && (!resp || !resp->resp)) |
| 84 | status = PAM_AUTHTOK_ERR; |
| 85 | |
| 86 | diff -urNp pam_passwdqc-1.0.5-orig/passwdqc_check.c pam_passwdqc-1.0.5/passwdqc_check.c |
| 87 | --- pam_passwdqc-1.0.5-orig/passwdqc_check.c 2008-02-12 14:31:52.000000000 -0500 |
| 88 | +++ pam_passwdqc-1.0.5/passwdqc_check.c 2009-09-25 22:45:16.080842425 -0400 |
| 89 | @@ -90,10 +90,12 @@ static int is_simple(passwdqc_params_t * |
| 90 | |
| 91 | /* Upper case characters and digits used in common ways don't increase the |
| 92 | * strength of a password */ |
| 93 | - c = (unsigned char)newpass[0]; |
| 94 | - if (uppers && isascii(c) && isupper(c)) uppers--; |
| 95 | - c = (unsigned char)newpass[length - 1]; |
| 96 | - if (digits && isascii(c) && isdigit(c)) digits--; |
| 97 | + if (params->firstupper_lastdigit_check) { |
| 98 | + c = (unsigned char)newpass[0]; |
| 99 | + if (uppers && isascii(c) && isupper(c)) uppers--; |
| 100 | + c = (unsigned char)newpass[length - 1]; |
| 101 | + if (digits && isascii(c) && isdigit(c)) digits--; |
| 102 | + } |
| 103 | |
| 104 | /* Count the number of different character classes we've seen. We assume |
| 105 | * that there are no non-ASCII characters for digits. */ |
| 106 | diff -urNp pam_passwdqc-1.0.5-orig/passwdqc.h pam_passwdqc-1.0.5/passwdqc.h |
| 107 | --- pam_passwdqc-1.0.5-orig/passwdqc.h 2008-02-12 14:30:00.000000000 -0500 |
| 108 | +++ pam_passwdqc-1.0.5/passwdqc.h 2009-09-25 14:08:56.214695858 -0400 |
| 109 | @@ -7,12 +7,15 @@ |
| 110 | |
| 111 | #include <pwd.h> |
| 112 | |
| 113 | +#define FILE_LEN 4096 /* Max file len = 4096 */ |
| 114 | + |
| 115 | typedef struct { |
| 116 | int min[5], max; |
| 117 | int passphrase_words; |
| 118 | int match_length; |
| 119 | int similar_deny; |
| 120 | int random_bits; |
| 121 | + int firstupper_lastdigit_check; |
| 122 | } passwdqc_params_t; |
| 123 | |
| 124 | extern char _passwdqc_wordset_4k[0x1000][6]; |
| 125 | diff -urNp pam_passwdqc-1.0.5-orig/README pam_passwdqc-1.0.5/README |
| 126 | --- pam_passwdqc-1.0.5-orig/README 2008-02-12 14:43:33.000000000 -0500 |
| 127 | +++ pam_passwdqc-1.0.5/README 2009-09-28 12:12:40.251016423 -0400 |
| 128 | @@ -41,9 +41,12 @@ words (see the "passphrase" option below |
| 129 | N3 and N4 are used for passwords consisting of characters from three |
| 130 | and four character classes, respectively. |
| 131 | |
| 132 | + disable_firstupper_lastdigit_check [] |
| 133 | + |
| 134 | When calculating the number of character classes, upper-case letters |
| 135 | used as the first character and digits used as the last character of a |
| 136 | -password are not counted. |
| 137 | +password are not counted. To disable this, you can specify |
| 138 | +"disable_firstupper_lastdigit_check". |
| 139 | |
| 140 | In addition to being sufficiently long, passwords are required to |
| 141 | contain enough different characters for the character classes and |
| 142 | @@ -142,6 +145,14 @@ This disables user interaction within pa |
| 143 | the only difference between "use_first_pass" and "use_authtok" is that |
| 144 | the former is incompatible with "ask_oldauthtok". |
| 145 | |
| 146 | + oldpass_prompt_file=absolute-file-path [] |
| 147 | + newpass_prompt_file=abosulte-file-path [] |
| 148 | + |
| 149 | +The options "oldpass_prompt_file" and "newpass_prompt_file" can be used |
| 150 | +to override prompts while requesting old password and new password, |
| 151 | +respectively. The maximum size of the prompt files can be 4096 |
| 152 | +characters at present. If the file size is more than 4096 characters, the |
| 153 | +output will be truncated to 4096 characters. |
| 154 | -- |
| 155 | Solar Designer <solar at openwall.com> |
| 156 | |