From 48968f9a9fb456f553271e635f639fc4e829aaf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Fri, 24 Feb 2006 10:46:47 +0000 Subject: [PATCH] - added try_first_pass option to pam_cracklib - use try_first_pass for pam_unix and pam_cracklib in system-auth (#182350) --- pam-0.99.3.0-cracklib-try-first-pass.patch | 46 ++++++++++++++++++++++ pam.spec | 9 ++++- system-auth.pamd | 6 +-- 3 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 pam-0.99.3.0-cracklib-try-first-pass.patch diff --git a/pam-0.99.3.0-cracklib-try-first-pass.patch b/pam-0.99.3.0-cracklib-try-first-pass.patch new file mode 100644 index 0000000..337bc04 --- /dev/null +++ b/pam-0.99.3.0-cracklib-try-first-pass.patch @@ -0,0 +1,46 @@ +--- Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c.try-first-pass 2006-01-08 10:49:05.000000000 +0100 ++++ Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c 2006-02-24 10:42:53.000000000 +0100 +@@ -93,6 +93,7 @@ + int low_credit; + int oth_credit; + int use_authtok; ++ int try_first_pass; + char prompt_type[BUFSIZ]; + char cracklib_dictpath[PATH_MAX]; + }; +@@ -158,6 +159,10 @@ + opt->oth_credit = 0; + } else if (!strncmp(*argv,"use_authtok",11)) { + opt->use_authtok = 1; ++ } else if (!strncmp(*argv,"use_first_pass",14)) { ++ opt->use_authtok = 1; ++ } else if (!strncmp(*argv,"try_first_pass",14)) { ++ opt->try_first_pass = 1; + } else if (!strncmp(*argv,"dictpath=",9)) { + strncpy(opt->cracklib_dictpath, *argv+9, + sizeof(opt->cracklib_dictpath) - 1); +@@ -559,7 +564,7 @@ + * set PAM_AUTHTOK and return + */ + +- if (options.use_authtok == 1) { ++ if (options.use_authtok == 1 || options.try_first_pass == 1) { + const void *item = NULL; + + retval = pam_get_item(pamh, PAM_AUTHTOK, &item); +@@ -570,11 +575,13 @@ + } else if (item != NULL) { /* we have a password! */ + token1 = x_strdup(item); + item = NULL; ++ options.use_authtok = 1; /* don't ask for the password again */ + } else { + retval = PAM_AUTHTOK_RECOVERY_ERR; /* didn't work */ + } +- +- } else { ++ } ++ ++ if (options.use_authtok != 1) { + /* Prepare to ask the user for the first time */ + resp = NULL; + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, diff --git a/pam.spec b/pam.spec index 67fbf1a..245017d 100644 --- a/pam.spec +++ b/pam.spec @@ -11,7 +11,7 @@ Summary: A security tool which provides authentication for applications. Name: pam Version: 0.99.3.0 -Release: 1.2 +Release: 2 License: GPL or BSD Group: System Environment/Base Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 @@ -31,6 +31,7 @@ Patch34: pam-0.99.2.1-dbpam.patch Patch70: pam-0.99.2.1-selinux-nofail.patch Patch72: pam-0.99.3.0-pie.patch Patch80: pam-0.99.2.1-selinux-drop-multiple.patch +Patch81: pam-0.99.3.0-cracklib-try-first-pass.patch BuildRoot: %{_tmppath}/%{name}-root Requires: cracklib, cracklib-dicts >= 2.8 @@ -86,6 +87,7 @@ cp $RPM_SOURCE_DIR/config-util.pamd . %patch70 -p1 -b .nofail %patch72 -p1 -b .pie %patch80 -p1 -b .drop-multiple +%patch81 -p1 -b .try-first-pass for readme in modules/pam_*/README ; do cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` @@ -351,6 +353,11 @@ fi %{_libdir}/libpam_misc.so %changelog +* Fri Feb 24 2006 Tomas Mraz 0.99.3.0-2 +- added try_first_pass option to pam_cracklib +- use try_first_pass for pam_unix and pam_cracklib in + system-auth (#182350) + * Fri Feb 10 2006 Jesse Keating - 0.99.3.0-1.2 - bump again for double-long bug on ppc(64) diff --git a/system-auth.pamd b/system-auth.pamd index ad68beb..29b7d2e 100644 --- a/system-auth.pamd +++ b/system-auth.pamd @@ -2,13 +2,13 @@ # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so -auth sufficient pam_unix.so likeauth nullok +auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so -password required pam_cracklib.so retry=3 -password sufficient pam_unix.so nullok use_authtok md5 shadow +password required pam_cracklib.so try_first_pass retry=3 +password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password required pam_deny.so session required pam_limits.so