diff options
| author | Tomas Mraz <tmraz@redhat.com> | 2016-11-01 15:16:54 +0100 |
|---|---|---|
| committer | Tomas Mraz <tmraz@redhat.com> | 2016-11-01 15:16:54 +0100 |
| commit | 812cd64cf8dcd656f1c7ab00c246b53e9ab7bd3c (patch) | |
| tree | e15fa21849adaeae6aeafe884d084c24290215f6 | |
| parent | df472befdc08b076bf1f2a863cb73801727ded80 (diff) | |
| download | libpwquality-812cd64cf8dcd656f1c7ab00c246b53e9ab7bd3c.tar.gz | |
Add an 'enforcing' setting to make the checks to be warning-only in PAM.
| -rw-r--r-- | doc/man/pam_pwquality.8.pod | 6 | ||||
| -rw-r--r-- | doc/man/pwquality.conf.5.pod | 7 | ||||
| -rw-r--r-- | src/pam_pwquality.c | 6 | ||||
| -rw-r--r-- | src/pwqprivate.h | 2 | ||||
| -rw-r--r-- | src/pwquality.conf | 5 | ||||
| -rw-r--r-- | src/pwquality.h | 1 | ||||
| -rw-r--r-- | src/settings.c | 8 |
7 files changed, 33 insertions, 2 deletions
diff --git a/doc/man/pam_pwquality.8.pod b/doc/man/pam_pwquality.8.pod index 6b115f8..307daef 100644 --- a/doc/man/pam_pwquality.8.pod +++ b/doc/man/pam_pwquality.8.pod @@ -202,6 +202,12 @@ contains the user name in some form. The default is 1 which means that this check is enabled. It is not performed for user names shorter than 3 characters. +=item B<enforcing=>I<N> + +If nonzero, reject the password if it fails the checks, otherwise +only print the warning. The default is 1 which means that the weak password +is rejected (for non-root users). + =item B<badwords=>I<< <list of words> >> The words more than 3 characters long from this space separated list are diff --git a/doc/man/pwquality.conf.5.pod b/doc/man/pwquality.conf.5.pod index ad558f6..6519ec6 100644 --- a/doc/man/pwquality.conf.5.pod +++ b/doc/man/pwquality.conf.5.pod @@ -107,6 +107,13 @@ If nonzero, check whether the password (with possible modifications) contains the user name in some form. It is not performed for user names shorter than 3 characters. (default 1) +=item B<enforcing=>I<N> + +If nonzero, reject the password if it fails the checks, otherwise +only print the warning. This setting applies only to the pam_pwquality module +and possibly other applications that explicitly change their behavior +based on it. It does not affect L<pwmake(1)> and L<pwscore(1)>. (default 1) + =item B<badwords> Space separated list of words that must not be contained in the password. These diff --git a/src/pam_pwquality.c b/src/pam_pwquality.c index ac7e826..501b44d 100644 --- a/src/pam_pwquality.c +++ b/src/pam_pwquality.c @@ -235,13 +235,15 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (retval < 0) { const char *msg; char buf[PWQ_MAX_ERROR_MESSAGE_LEN]; + int enforcing = 1; msg = pwquality_strerror(buf, sizeof(buf), retval, auxerror); if (ctrl & PAM_DEBUG_ARG) pam_syslog(pamh, LOG_DEBUG, "bad password: %s", msg); pam_error(pamh, _("BAD PASSWORD: %s"), msg); + pwquality_get_int_value(options.pwq, PWQ_SETTING_ENFORCING, &enforcing); - if (getuid() || options.enforce_for_root || - (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { + if (enforcing && (getuid() || options.enforce_for_root || + (flags & PAM_CHANGE_EXPIRED_AUTHTOK))) { pam_set_item(pamh, PAM_AUTHTOK, NULL); retval = PAM_AUTHTOK_ERR; continue; diff --git a/src/pwqprivate.h b/src/pwqprivate.h index f72828d..4ac96a7 100644 --- a/src/pwqprivate.h +++ b/src/pwqprivate.h @@ -26,6 +26,7 @@ struct pwquality_settings { int gecos_check; int dict_check; int user_check; + int enforcing; char *bad_words; char *dict_path; }; @@ -44,6 +45,7 @@ struct setting_mapping { #define PWQ_DEFAULT_OTH_CREDIT 0 #define PWQ_DEFAULT_DICT_CHECK 1 #define PWQ_DEFAULT_USER_CHECK 1 +#define PWQ_DEFAULT_ENFORCING 1 #define PWQ_TYPE_INT 1 #define PWQ_TYPE_STR 2 diff --git a/src/pwquality.conf b/src/pwquality.conf index 8155aec..550036d 100644 --- a/src/pwquality.conf +++ b/src/pwquality.conf @@ -54,5 +54,10 @@ # The check is enabled if the value is not 0. # usercheck = 1 # +# Whether the check is enforced by the PAM module and possibly other +# applications. +# The new password is rejected if it fails the check and the value is not 0. +# enforcing = 1 +# # Path to the cracklib dictionaries. Default is to use the cracklib default. # dictpath = diff --git a/src/pwquality.h b/src/pwquality.h index 49d2377..0666735 100644 --- a/src/pwquality.h +++ b/src/pwquality.h @@ -29,6 +29,7 @@ extern "C" { #define PWQ_SETTING_MAX_SEQUENCE 14 #define PWQ_SETTING_DICT_CHECK 15 #define PWQ_SETTING_USER_CHECK 16 +#define PWQ_SETTING_ENFORCING 17 #define PWQ_MAX_ENTROPY_BITS 256 #define PWQ_MIN_ENTROPY_BITS 56 diff --git a/src/settings.c b/src/settings.c index 3d3f465..5c38b30 100644 --- a/src/settings.c +++ b/src/settings.c @@ -35,6 +35,7 @@ pwquality_default_settings(void) pwq->oth_credit = PWQ_DEFAULT_OTH_CREDIT; pwq->dict_check = PWQ_DEFAULT_DICT_CHECK; pwq->user_check = PWQ_DEFAULT_USER_CHECK; + pwq->enforcing = PWQ_DEFAULT_ENFORCING; return pwq; } @@ -64,6 +65,7 @@ static const struct setting_mapping s_map[] = { { "gecoscheck", PWQ_SETTING_GECOS_CHECK, PWQ_TYPE_INT}, { "dictcheck", PWQ_SETTING_DICT_CHECK, PWQ_TYPE_INT}, { "usercheck", PWQ_SETTING_USER_CHECK, PWQ_TYPE_INT}, + { "enforcing", PWQ_SETTING_ENFORCING, PWQ_TYPE_INT}, { "badwords", PWQ_SETTING_BAD_WORDS, PWQ_TYPE_STR}, { "dictpath", PWQ_SETTING_DICT_PATH, PWQ_TYPE_STR} }; @@ -338,6 +340,9 @@ pwquality_set_int_value(pwquality_settings_t *pwq, int setting, int value) case PWQ_SETTING_USER_CHECK: pwq->user_check = value; break; + case PWQ_SETTING_ENFORCING: + pwq->enforcing = value; + break; default: return PWQ_ERROR_NON_INT_SETTING; } @@ -421,6 +426,9 @@ pwquality_get_int_value(pwquality_settings_t *pwq, int setting, int *value) case PWQ_SETTING_USER_CHECK: *value = pwq->user_check; break; + case PWQ_SETTING_ENFORCING: + *value = pwq->enforcing; + break; default: return PWQ_ERROR_NON_INT_SETTING; } |