diff options
author | Tomas Mraz <tmraz@redhat.com> | 2016-11-01 15:16:54 +0100 |
---|---|---|
committer | Tomas Mraz <tmraz@redhat.com> | 2016-11-01 15:16:54 +0100 |
commit | 812cd64cf8dcd656f1c7ab00c246b53e9ab7bd3c (patch) | |
tree | e15fa21849adaeae6aeafe884d084c24290215f6 /src | |
parent | df472befdc08b076bf1f2a863cb73801727ded80 (diff) | |
download | libpwquality-812cd64cf8dcd656f1c7ab00c246b53e9ab7bd3c.tar.gz |
Add an 'enforcing' setting to make the checks to be warning-only in PAM.
Diffstat (limited to 'src')
-rw-r--r-- | src/pam_pwquality.c | 6 | ||||
-rw-r--r-- | src/pwqprivate.h | 2 | ||||
-rw-r--r-- | src/pwquality.conf | 5 | ||||
-rw-r--r-- | src/pwquality.h | 1 | ||||
-rw-r--r-- | src/settings.c | 8 |
5 files changed, 20 insertions, 2 deletions
diff --git a/src/pam_pwquality.c b/src/pam_pwquality.c index ac7e826..501b44d 100644 --- a/src/pam_pwquality.c +++ b/src/pam_pwquality.c @@ -235,13 +235,15 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (retval < 0) { const char *msg; char buf[PWQ_MAX_ERROR_MESSAGE_LEN]; + int enforcing = 1; msg = pwquality_strerror(buf, sizeof(buf), retval, auxerror); if (ctrl & PAM_DEBUG_ARG) pam_syslog(pamh, LOG_DEBUG, "bad password: %s", msg); pam_error(pamh, _("BAD PASSWORD: %s"), msg); + pwquality_get_int_value(options.pwq, PWQ_SETTING_ENFORCING, &enforcing); - if (getuid() || options.enforce_for_root || - (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { + if (enforcing && (getuid() || options.enforce_for_root || + (flags & PAM_CHANGE_EXPIRED_AUTHTOK))) { pam_set_item(pamh, PAM_AUTHTOK, NULL); retval = PAM_AUTHTOK_ERR; continue; diff --git a/src/pwqprivate.h b/src/pwqprivate.h index f72828d..4ac96a7 100644 --- a/src/pwqprivate.h +++ b/src/pwqprivate.h @@ -26,6 +26,7 @@ struct pwquality_settings { int gecos_check; int dict_check; int user_check; + int enforcing; char *bad_words; char *dict_path; }; @@ -44,6 +45,7 @@ struct setting_mapping { #define PWQ_DEFAULT_OTH_CREDIT 0 #define PWQ_DEFAULT_DICT_CHECK 1 #define PWQ_DEFAULT_USER_CHECK 1 +#define PWQ_DEFAULT_ENFORCING 1 #define PWQ_TYPE_INT 1 #define PWQ_TYPE_STR 2 diff --git a/src/pwquality.conf b/src/pwquality.conf index 8155aec..550036d 100644 --- a/src/pwquality.conf +++ b/src/pwquality.conf @@ -54,5 +54,10 @@ # The check is enabled if the value is not 0. # usercheck = 1 # +# Whether the check is enforced by the PAM module and possibly other +# applications. +# The new password is rejected if it fails the check and the value is not 0. +# enforcing = 1 +# # Path to the cracklib dictionaries. Default is to use the cracklib default. # dictpath = diff --git a/src/pwquality.h b/src/pwquality.h index 49d2377..0666735 100644 --- a/src/pwquality.h +++ b/src/pwquality.h @@ -29,6 +29,7 @@ extern "C" { #define PWQ_SETTING_MAX_SEQUENCE 14 #define PWQ_SETTING_DICT_CHECK 15 #define PWQ_SETTING_USER_CHECK 16 +#define PWQ_SETTING_ENFORCING 17 #define PWQ_MAX_ENTROPY_BITS 256 #define PWQ_MIN_ENTROPY_BITS 56 diff --git a/src/settings.c b/src/settings.c index 3d3f465..5c38b30 100644 --- a/src/settings.c +++ b/src/settings.c @@ -35,6 +35,7 @@ pwquality_default_settings(void) pwq->oth_credit = PWQ_DEFAULT_OTH_CREDIT; pwq->dict_check = PWQ_DEFAULT_DICT_CHECK; pwq->user_check = PWQ_DEFAULT_USER_CHECK; + pwq->enforcing = PWQ_DEFAULT_ENFORCING; return pwq; } @@ -64,6 +65,7 @@ static const struct setting_mapping s_map[] = { { "gecoscheck", PWQ_SETTING_GECOS_CHECK, PWQ_TYPE_INT}, { "dictcheck", PWQ_SETTING_DICT_CHECK, PWQ_TYPE_INT}, { "usercheck", PWQ_SETTING_USER_CHECK, PWQ_TYPE_INT}, + { "enforcing", PWQ_SETTING_ENFORCING, PWQ_TYPE_INT}, { "badwords", PWQ_SETTING_BAD_WORDS, PWQ_TYPE_STR}, { "dictpath", PWQ_SETTING_DICT_PATH, PWQ_TYPE_STR} }; @@ -338,6 +340,9 @@ pwquality_set_int_value(pwquality_settings_t *pwq, int setting, int value) case PWQ_SETTING_USER_CHECK: pwq->user_check = value; break; + case PWQ_SETTING_ENFORCING: + pwq->enforcing = value; + break; default: return PWQ_ERROR_NON_INT_SETTING; } @@ -421,6 +426,9 @@ pwquality_get_int_value(pwquality_settings_t *pwq, int setting, int *value) case PWQ_SETTING_USER_CHECK: *value = pwq->user_check; break; + case PWQ_SETTING_ENFORCING: + *value = pwq->enforcing; + break; default: return PWQ_ERROR_NON_INT_SETTING; } |