1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
diff -urNp pam_passwdqc-1.0.5-orig/pam_passwdqc.c pam_passwdqc-1.0.5/pam_passwdqc.c
--- pam_passwdqc-1.0.5-orig/pam_passwdqc.c 2008-02-12 15:11:13.000000000 -0500
+++ pam_passwdqc-1.0.5/pam_passwdqc.c 2009-09-28 12:10:32.171696694 -0400
@@ -70,6 +70,8 @@ typedef struct {
passwdqc_params_t qc;
int flags;
int retry;
+ char oldpass_prompt_file[FILE_LEN+1];
+ char newpass_prompt_file[FILE_LEN+1];
} params_t;
static params_t defaults = {
@@ -79,10 +81,13 @@ static params_t defaults = {
3, /* passphrase_words */
4, /* match_length */
1, /* similar_deny */
- 42 /* random_bits */
+ 42, /* random_bits */
+ 1 /* firstupper_lastdigit_check */
},
F_ENFORCE_EVERYONE, /* flags */
- 3 /* retry */
+ 3, /* retry */
+ "", /* oldpass_prompt_file */
+ "" /* newpass_prompt_file */
};
#define PROMPT_OLDPASS \
@@ -361,6 +366,37 @@ static int parse(params_t *params, pam_h
if (!strcmp(*argv, "use_authtok")) {
params->flags |= F_USE_AUTHTOK;
} else
+ if (!strcmp(*argv, "disable_firstupper_lastdigit_check")) {
+ params->qc.firstupper_lastdigit_check = 0;
+ } else
+ if (!strncmp(*argv, "oldpass_prompt_file=", 20)) {
+ int n;
+ FILE *fp = fopen(*argv + 20, "r");
+ if (fp) {
+ n=fread(params->oldpass_prompt_file, sizeof(char), FILE_LEN, fp);
+ if (0==n || ferror(fp)!=0 ) {
+ memset(params->oldpass_prompt_file, '\0', FILE_LEN+1);
+ }
+ else {
+ feof(fp)? (params->oldpass_prompt_file[n-1]='\0'): (params->oldpass_prompt_file[n]='\0');
+ }
+ fclose(fp);
+ }
+ } else
+ if (!strncmp(*argv, "newpass_prompt_file=", 20)) {
+ int n;
+ FILE *fp = fopen(*argv + 20, "r");
+ if (fp) {
+ n=fread(params->newpass_prompt_file, sizeof(char), FILE_LEN, fp);
+ if (0==n || ferror(fp)!=0 ) {
+ memset(params->newpass_prompt_file, '\0', FILE_LEN+1);
+ }
+ else {
+ feof(fp)? (params->newpass_prompt_file[n-1]='\0'): (params->newpass_prompt_file[n]='\0');
+ }
+ fclose(fp);
+ }
+ } else
break;
argc--; argv++;
}
@@ -406,7 +442,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
if (ask_oldauthtok && !am_root(pamh)) {
status = converse(pamh, PAM_PROMPT_ECHO_OFF,
- PROMPT_OLDPASS, &resp);
+ strlen(params.oldpass_prompt_file) ? params.oldpass_prompt_file : PROMPT_OLDPASS, &resp);
if (status == PAM_SUCCESS) {
if (resp && resp->resp) {
@@ -540,8 +576,7 @@ retry:
MESSAGE_RANDOMFAILED : MESSAGE_MISCONFIGURED);
return PAM_AUTHTOK_ERR;
}
-
- status = converse(pamh, PAM_PROMPT_ECHO_OFF, PROMPT_NEWPASS1, &resp);
+ status = converse(pamh, PAM_PROMPT_ECHO_OFF, strlen(params.newpass_prompt_file) ? params.newpass_prompt_file : PROMPT_NEWPASS1, &resp);
if (status == PAM_SUCCESS && (!resp || !resp->resp))
status = PAM_AUTHTOK_ERR;
diff -urNp pam_passwdqc-1.0.5-orig/passwdqc_check.c pam_passwdqc-1.0.5/passwdqc_check.c
--- pam_passwdqc-1.0.5-orig/passwdqc_check.c 2008-02-12 14:31:52.000000000 -0500
+++ pam_passwdqc-1.0.5/passwdqc_check.c 2009-09-25 22:45:16.080842425 -0400
@@ -90,10 +90,12 @@ static int is_simple(passwdqc_params_t *
/* Upper case characters and digits used in common ways don't increase the
* strength of a password */
- c = (unsigned char)newpass[0];
- if (uppers && isascii(c) && isupper(c)) uppers--;
- c = (unsigned char)newpass[length - 1];
- if (digits && isascii(c) && isdigit(c)) digits--;
+ if (params->firstupper_lastdigit_check) {
+ c = (unsigned char)newpass[0];
+ if (uppers && isascii(c) && isupper(c)) uppers--;
+ c = (unsigned char)newpass[length - 1];
+ if (digits && isascii(c) && isdigit(c)) digits--;
+ }
/* Count the number of different character classes we've seen. We assume
* that there are no non-ASCII characters for digits. */
diff -urNp pam_passwdqc-1.0.5-orig/passwdqc.h pam_passwdqc-1.0.5/passwdqc.h
--- pam_passwdqc-1.0.5-orig/passwdqc.h 2008-02-12 14:30:00.000000000 -0500
+++ pam_passwdqc-1.0.5/passwdqc.h 2009-09-25 14:08:56.214695858 -0400
@@ -7,12 +7,15 @@
#include <pwd.h>
+#define FILE_LEN 4096 /* Max file len = 4096 */
+
typedef struct {
int min[5], max;
int passphrase_words;
int match_length;
int similar_deny;
int random_bits;
+ int firstupper_lastdigit_check;
} passwdqc_params_t;
extern char _passwdqc_wordset_4k[0x1000][6];
diff -urNp pam_passwdqc-1.0.5-orig/README pam_passwdqc-1.0.5/README
--- pam_passwdqc-1.0.5-orig/README 2008-02-12 14:43:33.000000000 -0500
+++ pam_passwdqc-1.0.5/README 2009-09-28 12:12:40.251016423 -0400
@@ -41,9 +41,12 @@ words (see the "passphrase" option below
N3 and N4 are used for passwords consisting of characters from three
and four character classes, respectively.
+ disable_firstupper_lastdigit_check []
+
When calculating the number of character classes, upper-case letters
used as the first character and digits used as the last character of a
-password are not counted.
+password are not counted. To disable this, you can specify
+"disable_firstupper_lastdigit_check".
In addition to being sufficiently long, passwords are required to
contain enough different characters for the character classes and
@@ -142,6 +145,14 @@ This disables user interaction within pa
the only difference between "use_first_pass" and "use_authtok" is that
the former is incompatible with "ask_oldauthtok".
+ oldpass_prompt_file=absolute-file-path []
+ newpass_prompt_file=abosulte-file-path []
+
+The options "oldpass_prompt_file" and "newpass_prompt_file" can be used
+to override prompts while requesting old password and new password,
+respectively. The maximum size of the prompt files can be 4096
+characters at present. If the file size is more than 4096 characters, the
+output will be truncated to 4096 characters.
--
Solar Designer <solar at openwall.com>
|
