Add an 'enforcing' setting to make the checks to be warning-only in PAM.

author: Tomas Mraz <tmraz@redhat.com> 2016-11-01 15:16:54 +0100
committer: Tomas Mraz <tmraz@redhat.com> 2016-11-01 15:16:54 +0100
commit: 812cd64cf8dcd656f1c7ab00c246b53e9ab7bd3c (patch)
tree: e15fa21849adaeae6aeafe884d084c24290215f6 /src
parent: df472befdc08b076bf1f2a863cb73801727ded80 (diff)
download: libpwquality-812cd64cf8dcd656f1c7ab00c246b53e9ab7bd3c.tar.gz
5 files changed, 20 insertions, 2 deletions
diff --git a/src/pam_pwquality.c b/src/pam_pwquality.c
index ac7e826..501b44d 100644
--- a/src/pam_pwquality.c
+++ b/src/pam_pwquality.c
@@ -235,13 +235,15 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
                         if (retval < 0) {
                                 const char *msg;
                                 char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
+                                int enforcing = 1;
                                 msg = pwquality_strerror(buf, sizeof(buf), retval, auxerror);
                                 if (ctrl & PAM_DEBUG_ARG)
                                         pam_syslog(pamh, LOG_DEBUG, "bad password: %s", msg);
                                 pam_error(pamh, _("BAD PASSWORD: %s"), msg);
+                                pwquality_get_int_value(options.pwq, PWQ_SETTING_ENFORCING, &enforcing);
 
-                                if (getuid() || options.enforce_for_root ||
-                                    (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) {
+                                if (enforcing && (getuid() || options.enforce_for_root ||
+                                    (flags & PAM_CHANGE_EXPIRED_AUTHTOK))) {
                                         pam_set_item(pamh, PAM_AUTHTOK, NULL);
                                         retval = PAM_AUTHTOK_ERR;
                                         continue;
diff --git a/src/pwqprivate.h b/src/pwqprivate.h
index f72828d..4ac96a7 100644
--- a/src/pwqprivate.h
+++ b/src/pwqprivate.h
@@ -26,6 +26,7 @@ struct pwquality_settings {
         int gecos_check;
         int dict_check;
         int user_check;
+        int enforcing;
         char *bad_words;
         char *dict_path;
 };
@@ -44,6 +45,7 @@ struct setting_mapping {
 #define PWQ_DEFAULT_OTH_CREDIT   0
 #define PWQ_DEFAULT_DICT_CHECK   1
 #define PWQ_DEFAULT_USER_CHECK   1
+#define PWQ_DEFAULT_ENFORCING    1
 
 #define PWQ_TYPE_INT             1
 #define PWQ_TYPE_STR             2
diff --git a/src/pwquality.conf b/src/pwquality.conf
index 8155aec..550036d 100644
--- a/src/pwquality.conf
+++ b/src/pwquality.conf
@@ -54,5 +54,10 @@
 # The check is enabled if the value is not 0.
 # usercheck = 1
 #
+# Whether the check is enforced by the PAM module and possibly other
+# applications.
+# The new password is rejected if it fails the check and the value is not 0.
+# enforcing = 1
+#
 # Path to the cracklib dictionaries. Default is to use the cracklib default.
 # dictpath =
diff --git a/src/pwquality.h b/src/pwquality.h
index 49d2377..0666735 100644
--- a/src/pwquality.h
+++ b/src/pwquality.h
@@ -29,6 +29,7 @@ extern "C" {
 #define PWQ_SETTING_MAX_SEQUENCE    14
 #define PWQ_SETTING_DICT_CHECK      15
 #define PWQ_SETTING_USER_CHECK      16
+#define PWQ_SETTING_ENFORCING       17
 
 #define PWQ_MAX_ENTROPY_BITS       256
 #define PWQ_MIN_ENTROPY_BITS       56
diff --git a/src/settings.c b/src/settings.c
index 3d3f465..5c38b30 100644
--- a/src/settings.c
+++ b/src/settings.c
@@ -35,6 +35,7 @@ pwquality_default_settings(void)
         pwq->oth_credit = PWQ_DEFAULT_OTH_CREDIT;
         pwq->dict_check = PWQ_DEFAULT_DICT_CHECK;
         pwq->user_check = PWQ_DEFAULT_USER_CHECK;
+        pwq->enforcing = PWQ_DEFAULT_ENFORCING;
 
         return pwq;
 }
@@ -64,6 +65,7 @@ static const struct setting_mapping s_map[] = {
  { "gecoscheck", PWQ_SETTING_GECOS_CHECK, PWQ_TYPE_INT},
  { "dictcheck", PWQ_SETTING_DICT_CHECK, PWQ_TYPE_INT},
  { "usercheck", PWQ_SETTING_USER_CHECK, PWQ_TYPE_INT},
+ { "enforcing", PWQ_SETTING_ENFORCING, PWQ_TYPE_INT},
  { "badwords", PWQ_SETTING_BAD_WORDS, PWQ_TYPE_STR},
  { "dictpath", PWQ_SETTING_DICT_PATH, PWQ_TYPE_STR}
 };
@@ -338,6 +340,9 @@ pwquality_set_int_value(pwquality_settings_t *pwq, int setting, int value)
         case PWQ_SETTING_USER_CHECK:
                 pwq->user_check = value;
                 break;
+        case PWQ_SETTING_ENFORCING:
+                pwq->enforcing = value;
+                break;
         default:
                 return PWQ_ERROR_NON_INT_SETTING;
         }
@@ -421,6 +426,9 @@ pwquality_get_int_value(pwquality_settings_t *pwq, int setting, int *value)
         case PWQ_SETTING_USER_CHECK:
                 *value = pwq->user_check;
                 break;
+        case PWQ_SETTING_ENFORCING:
+                *value = pwq->enforcing;
+                break;
         default:
                 return PWQ_ERROR_NON_INT_SETTING;
         }
author	Tomas Mraz <tmraz@redhat.com>	2016-11-01 15:16:54 +0100
committer	Tomas Mraz <tmraz@redhat.com>	2016-11-01 15:16:54 +0100
commit	812cd64cf8dcd656f1c7ab00c246b53e9ab7bd3c (patch)
tree	e15fa21849adaeae6aeafe884d084c24290215f6 /src
parent	df472befdc08b076bf1f2a863cb73801727ded80 (diff)
download	libpwquality-812cd64cf8dcd656f1c7ab00c246b53e9ab7bd3c.tar.gz