45
26
_make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
31
- int pass_min_len = 0;
50
32
+ int pass_min_len = 6;
52
34
/* <DO NOT free() THESE> */
58
- ctrl = _set_ctrl(pamh, flags, &remember, &rounds, argc, argv);
59
+ ctrl = _set_ctrl(pamh, flags, &remember, &rounds, &pass_min_len,
63
* First get the name of a user
65
if (*(const char *)pass_new == '\0') { /* "\0" password = NULL */
68
- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
69
+ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old,
70
+ pass_new, pass_min_len);
72
if (retval != PAM_SUCCESS && off(UNIX_NOT_SET_PASS, ctrl)) {
73
pam_set_item(pamh, PAM_AUTHTOK, NULL);
78
- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
79
+ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new,
81
if (retval != PAM_SUCCESS) {
82
pam_syslog(pamh, LOG_NOTICE,
83
"new password not acceptable 2");
84
Index: pam.deb/modules/pam_unix/pam_unix_acct.c
85
===================================================================
86
--- pam.deb.orig/modules/pam_unix/pam_unix_acct.c
87
+++ pam.deb/modules/pam_unix/pam_unix_acct.c
92
- ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
93
+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
95
retval = pam_get_item(pamh, PAM_USER, &void_uname);
97
36
Index: pam.deb/modules/pam_unix/support.c
98
37
===================================================================
99
38
--- pam.deb.orig/modules/pam_unix/support.c
100
39
+++ pam.deb/modules/pam_unix/support.c
104
int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
105
- int argc, const char **argv)
106
+ int *pass_min_len, int argc, const char **argv)
112
42
set(UNIX__QUIET, ctrl);
128
@@ -102,15 +104,16 @@
129
ctrl &= unix_args[j].mask; /* for turning things off */
130
ctrl |= unix_args[j].flag; /* for turning things on */
132
- if (remember != NULL) {
133
- if (j == UNIX_REMEMBER_PASSWD) {
134
- *remember = strtol(*argv + 9, NULL, 10);
135
- if ((*remember == INT_MIN) || (*remember == INT_MAX))
137
- if (*remember > 400)
141
+ /* special cases */
142
+ if (remember != NULL && j == UNIX_REMEMBER_PASSWD) {
143
+ *remember = strtol(*argv + 9, NULL, 10);
144
+ if ((*remember == INT_MIN) || (*remember == INT_MAX))
146
+ if (*remember > 400)
148
+ } else if (pass_min_len && j == UNIX_MIN_PASS_LEN) {
149
+ *pass_min_len = atoi(*argv + 4);
151
if (rounds != NULL && j == UNIX_ALGO_ROUNDS)
152
*rounds = strtol(*argv + 7, NULL, 10);
155
++argv; /* step to next argument */
158
+ if (off(UNIX_HASH_MASK,ctrl)
159
+ && pass_min_len && *pass_min_len > 8)
162
if (flags & PAM_DISALLOW_NULL_AUTHTOK) {
163
D(("DISALLOW_NULL_AUTHTOK"));
164
set(UNIX__NONULL, ctrl);
165
58
Index: pam.deb/modules/pam_unix/support.h
166
59
===================================================================
167
60
--- pam.deb.orig/modules/pam_unix/support.h
168
61
+++ pam.deb/modules/pam_unix/support.h
170
#define UNIX_ALGO_ROUNDS 25 /* optional number of rounds for new
171
63
password hash algorithms */
172
64
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
173
+#define UNIX_MAX_PASS_LEN 27 /* internal, for compatibility only */
174
+#define UNIX_MIN_PASS_LEN 28 /* min length for password */
175
+#define UNIX_OBSCURE_CHECKS 29 /* enable obscure checks on passwords */
65
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
66
+#define UNIX_OBSCURE_CHECKS 28 /* enable obscure checks on passwords */
176
67
/* -------------- */
177
-#define UNIX_CTRLS_ 27 /* number of ctrl arguments defined */
178
+#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
180
+#define UNIX_HASH_MASK (UNIX_MD5_PASS|UNIX_BIGCRYPT|UNIX_SHA256_PASS|UNIX_SHA512_PASS|UNIX_BLOWFISH_PASS)
182
static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
68
-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
69
+#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
71
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
184
74
/* symbol token name ctrl mask ctrl *
185
75
* ----------------------- ------------------- --------------------- -------- */
238
129
+/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x2C22000), 0x800000},
239
130
+/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000},
240
131
+/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x2C22000),0x2000000},
241
+/* UNIX_MAX_PASS_LEN */ {"max=", _ALL_ON_, 0},
242
+/* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x4000000},
132
+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000},
243
133
+/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x8000000},
246
136
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
248
extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
249
,int type, const char *text);
250
extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds,
251
- int argc, const char **argv);
252
+ int *pass_min_len, int argc, const char **argv);
253
extern int _unix_getpwnam (pam_handle_t *pamh,
254
const char *name, int files, int nis,
255
struct passwd **ret);
256
137
Index: pam.deb/modules/pam_unix/pam_unix.8.xml
257
138
===================================================================
258
139
--- pam.deb.orig/modules/pam_unix/pam_unix.8.xml
259
140
+++ pam.deb/modules/pam_unix/pam_unix.8.xml
266
+ <option>min=<replaceable>n</replaceable></option>
270
+ Set a minimum password length of <replaceable>n</replaceable>
271
+ characters. The default value is 6.
144
Set a minimum password length of <replaceable>n</replaceable>
145
- characters. The max. for DES crypt based passwords are 8
147
+ characters. The default value is 6. The maximum for DES
148
+ crypt-based passwords is 8 characters.
274
151
+ </varlistentry>
565
439
bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
566
440
bigcrypt_CFLAGS = $(AM_CFLAGS)
567
Index: pam.deb/modules/pam_unix/pam_unix_auth.c
568
===================================================================
569
--- pam.deb.orig/modules/pam_unix/pam_unix_auth.c
570
+++ pam.deb/modules/pam_unix/pam_unix_auth.c
575
- ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
576
+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
578
/* Get a few bytes so we can pass our return value to
580
Index: pam.deb/modules/pam_unix/pam_unix_sess.c
581
===================================================================
582
--- pam.deb.orig/modules/pam_unix/pam_unix_sess.c
583
+++ pam.deb/modules/pam_unix/pam_unix_sess.c
588
- ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
589
+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
591
retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
592
if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
597
- ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
598
+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
600
retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
601
if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
602
441
Index: pam.deb/modules/pam_unix/pam_unix.8
603
442
===================================================================
604
443
--- pam.deb.orig/modules/pam_unix/pam_unix.8
605
444
+++ pam.deb/modules/pam_unix/pam_unix.8
606
@@ -166,13 +166,11 @@
448
.\" Author: [see the "AUTHOR" section]
449
-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
450
-.\" Date: 08/17/2010
451
+.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
452
+.\" Date: 08/31/2010
453
.\" Manual: Linux-PAM Manual
454
.\" Source: Linux-PAM Manual
455
.\" Language: English
457
-.TH "PAM_UNIX" "8" "08/17/2010" "Linux-PAM Manual" "Linux\-PAM Manual"
458
+.TH "PAM_UNIX" "8" "08/31/2010" "Linux-PAM Manual" "Linux\-PAM Manual"
459
.\" -----------------------------------------------------------------
460
-.\" * (re)Define some macros
461
+.\" * Define some portability stuff
462
.\" -----------------------------------------------------------------
463
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
464
-.\" toupper - uppercase a string (locale-aware)
465
+.\" http://bugs.debian.org/507673
466
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
467
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
469
-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
471
-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
473
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
474
-.\" SH-xref - format a cross-reference to an SH section
475
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
484
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
485
-.\" SH - level-one heading that works better for non-TTY output
486
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
488
-.\" put an extra blank line of space above the head in non-TTY output
495
-.nr an-prevailing-indent \\n[IN]
499
-.HTML-TAG ".NH \\n[an-level]"
501
-.nr an-no-space-flag 1
503
-\." make the size of the head bigger
508
-.\" if n (TTY output), use uppercase
513
-.\" if not n (not TTY), use normal case (not uppercase)
517
-.\" if not n (not TTY), put a border/line under subheading
522
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
523
-.\" SS - level-two heading that works better for non-TTY output
524
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
529
-.nr an-prevailing-indent \\n[IN]
534
-.nr an-no-space-flag 1
537
-\." make the size of the head bigger
543
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
544
-.\" BB/BE - put background/screen (filled box) around block of text
545
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
558
-.if "\\$2"adjust-for-leading-newline" \{\
566
-.nr BW \\n(.lu-\\n(.i
569
-.ie "\\$2"adjust-for-leading-newline" \{\
570
-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
573
-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
584
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
585
-.\" BM/EM - put colored marker in margin next to block of text
586
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
603
-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
611
+.ie \n(.g .ds Aq \(aq
613
.\" -----------------------------------------------------------------
614
.\" * set default formatting
615
.\" -----------------------------------------------------------------
607
617
.\" -----------------------------------------------------------------
608
618
.\" * MAIN CONTENT STARTS HERE *
609
619
.\" -----------------------------------------------------------------
619
629
.SH "DESCRIPTION"
621
This is the standard Unix authentication module\&. It uses standard calls from the system\'s libraries to retrieve and set account information as well as authentication\&. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\&.
631
-This is the standard Unix authentication module\&. It uses standard calls from the system\'s libraries to retrieve and set account information as well as authentication\&. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\&.
632
+This is the standard Unix authentication module\&. It uses standard calls from the system\*(Aqs libraries to retrieve and set account information as well as authentication\&. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\&.
634
-The account component performs the task of establishing the status of the user\'s account and password based on the following
635
+The account component performs the task of establishing the status of the user\*(Aqs account and password based on the following
637
elements: expire, last_change, max_change, min_change, warn_change\&. In the case of the latter, it may offer advice to the user on changing their password or, through the
638
\fBPAM_AUTHTOKEN_REQD\fR
639
return, delay giving service to the user until they have established a new password\&. The entries listed above are documented in the
641
-manual page\&. Should the user\'s record not contain one or more of these entries, the corresponding
642
+manual page\&. Should the user\*(Aqs record not contain one or more of these entries, the corresponding
644
check is not performed\&.
646
The authentication component performs the task of checking the users credentials (password)\&. The default action of this module is to not permit the user access to a service if their official password is blank\&.
649
-\fBunix_chkpwd\fR(8), is provided to check the user\'s password when it is stored in a read protected database\&. This binary is very simple and will only check the password of the user invoking it\&. It is called transparently on behalf of the user by the authenticating component of this module\&. In this way it is possible for applications like
650
+\fBunix_chkpwd\fR(8), is provided to check the user\*(Aqs password when it is stored in a read protected database\&. This binary is very simple and will only check the password of the user invoking it\&. It is called transparently on behalf of the user by the authenticating component of this module\&. In this way it is possible for applications like
652
-to work without being setuid\-root\&. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\&. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\'t know was
653
+to work without being setuid\-root\&. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\&. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\*(Aqt know was
656
module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&.
658
-The password component of this module performs the task of updating the user\'s password\&.
659
+The password component of this module performs the task of updating the user\*(Aqs password\&.
661
The session component of this module logs when a user logins or leave the system\&.
667
-Before prompting the user for their password, the module first tries the previous stacked module\'s password in case that satisfies this module as well\&.
668
+Before prompting the user for their password, the module first tries the previous stacked module\*(Aqs password in case that satisfies this module as well\&.
625
675
passwords for each user are saved in