Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
pam.23706
pam-pam_cracklib-add-usersubstr.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File pam-pam_cracklib-add-usersubstr.patch of Package pam.23706
Index: Linux-PAM-1.3.0/modules/pam_cracklib/pam_cracklib.c =================================================================== --- Linux-PAM-1.3.0.orig/modules/pam_cracklib/pam_cracklib.c +++ Linux-PAM-1.3.0/modules/pam_cracklib/pam_cracklib.c @@ -106,6 +106,7 @@ struct cracklib_options { int reject_user; int gecos_check; int enforce_for_root; + int user_substr; const char *cracklib_dictpath; }; @@ -118,6 +119,15 @@ struct cracklib_options { #define CO_LOW_CREDIT 1 #define CO_OTH_CREDIT 1 #define CO_MIN_WORD_LENGTH 4 +#define CO_MIN_WORD_LENGTH 4 + +static inline const char * +pam_str_skip_prefix(const char *str, const char *prefix) +{ + size_t prefix_len = strlen(prefix); + + return strncmp(str, prefix, prefix_len) ? NULL : str + prefix_len; +} static int _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, @@ -127,6 +137,7 @@ _pam_parse (pam_handle_t *pamh, struct c /* step through arguments */ for (ctrl=0; argc-- > 0; ++argv) { + const char *str; char *ep = NULL; /* generic options */ @@ -202,6 +213,10 @@ _pam_parse (pam_handle_t *pamh, struct c if (!*(opt->cracklib_dictpath)) { opt->cracklib_dictpath = CRACKLIB_DICTS; } + } else if ((str = pam_str_skip_prefix(*argv, "usersubstr=")) != NULL) { + opt->user_substr = strtol(str, &ep, 10); + if (ep == str) + opt->user_substr = 0; } else { pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv); } @@ -542,13 +557,54 @@ static int wordcheck(const char *new, ch return 0; } +/* + * RETURNS: True if the password is unacceptable, else false + */ +static int usersubstr(int len, const char *new, char *user) +{ + int i, userlen; + int bad = 0; // Assume it's OK unless proven otherwise + char *subuser = calloc(len+1, sizeof(char)); + + if (subuser == NULL) { + return 1; + } + + userlen = strlen(user); + + if (len >= CO_MIN_WORD_LENGTH && + userlen > len) { + for(i = 0; !bad && (i <= userlen - len); i++) { + strncpy(subuser, user+i, len+1); + subuser[len] = '\0'; + bad = wordcheck(new, subuser); + } + } else { + // if we already tested substrings, there's no need to test + // the whole username; all substrings would've been found :) + if (!bad) + bad = wordcheck(new, user); + } + + free(subuser); + + return bad; +} + +/* + * RETURNS: True if the password is unacceptable, else false + */ static int usercheck(struct cracklib_options *opt, const char *new, char *user) { - if (!opt->reject_user) - return 0; + int bad = 0; + + if (opt->reject_user) + bad = wordcheck(new, user); + if (!bad && opt->user_substr != 0) + bad = usersubstr(opt->user_substr, new, user); - return wordcheck(new, user); + return bad; } static char * str_lower(char *string) Index: Linux-PAM-1.3.0/doc/sag/Linux-PAM_SAG.txt =================================================================== --- Linux-PAM-1.3.0.orig/doc/sag/Linux-PAM_SAG.txt +++ Linux-PAM-1.3.0/doc/sag/Linux-PAM_SAG.txt @@ -990,6 +990,14 @@ reject_username Check whether the name of the user in straight or reversed form is contained in the new password. If it is found the new password is rejected. +usersubstr=N + + Reject passwords which contain any substring of N or more consecutive + characters of the user's name straight or in reverse order. + N must be at least 4 for this to be applicable. + Also, usernames shorter than N are not checked. + If such a substring is found, the password is rejected. + gecoscheck Check whether the words from the GECOS field (usualy full name of the user) Index: Linux-PAM-1.3.0/doc/sag/html/sag-pam_cracklib.html =================================================================== --- Linux-PAM-1.3.0.orig/doc/sag/html/sag-pam_cracklib.html +++ Linux-PAM-1.3.0/doc/sag/html/sag-pam_cracklib.html @@ -197,6 +197,15 @@ Check whether the name of the user in straight or reversed form is contained in the new password. If it is found the new password is rejected. + </p></dd><dt><span class="term"> + <code class="option">usersubstr=<em class="replaceable"><code>N</code></em></code> + </span></dt><dd><p> + Reject passwords which contain any substring of N or more + consecutive characters of the user's name straight or in + reverse order. + N must be at least 4 for this to be applicable. + Also, usernames shorter than N are not checked. + If such a substring is found, the password is rejected. </p></dd><dt><span class="term"> <code class="option">gecoscheck</code> </span></dt><dd><p> Index: Linux-PAM-1.3.0/modules/pam_cracklib/README =================================================================== --- Linux-PAM-1.3.0.orig/modules/pam_cracklib/README +++ Linux-PAM-1.3.0/modules/pam_cracklib/README @@ -179,6 +179,14 @@ reject_username Check whether the name of the user in straight or reversed form is contained in the new password. If it is found the new password is rejected. +usersubstr=N + + Reject passwords which contain any substring of N or more consecutive + characters of the user's name straight or in reverse order. + N must be at least 4 for this to be applicable. + Also, usernames shorter than N are not checked. + If such a substring is found, the password is rejected. + gecoscheck Check whether the words from the GECOS field (usualy full name of the user) Index: Linux-PAM-1.3.0/modules/pam_cracklib/pam_cracklib.8 =================================================================== --- Linux-PAM-1.3.0.orig/modules/pam_cracklib/pam_cracklib.8 +++ Linux-PAM-1.3.0/modules/pam_cracklib/pam_cracklib.8 @@ -232,6 +232,15 @@ Reject passwords which contain more than Check whether the name of the user in straight or reversed form is contained in the new password\&. If it is found the new password is rejected\&. .RE .PP +\fBusersubstr=\fR\fB\fIN\fR\fR +.RS 4 +Reject passwords which contain any substring of N or more consecutive characters of the user\*(Aqs name straight or in +reverse order\&. +N must be at least 4 for this to be applicable\&. +Also, usernames shorter than N are not checked\&. +If such a substring is found, the password is rejected\&. +.RE +.PP \fBgecoscheck\fR .RS 4 Check whether the words from the GECOS field (usualy full name of the user) longer than 3 characters in straight or reversed form are contained in the new password\&. If any such word is found the new password is rejected\&. Index: Linux-PAM-1.3.0/modules/pam_cracklib/pam_cracklib.8.xml =================================================================== --- Linux-PAM-1.3.0.orig/modules/pam_cracklib/pam_cracklib.8.xml +++ Linux-PAM-1.3.0/modules/pam_cracklib/pam_cracklib.8.xml @@ -396,6 +396,21 @@ </listitem> </varlistentry> + <varlistentry> + <term> + <option>usersubstr=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + Reject passwords which contain any substring of N or more + consecutive characters of the user's name straight or in + reverse order. N must be at least 4 for this to be applicable. + Also, usernames shorter than N are not checked. + If such a substring is found, the password is rejected. + </para> + </listitem> + </varlistentry> + <varlistentry> <term> <option>gecoscheck</option>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor