diff options
author | Jackie Huang <jackie.huang@windriver.com> | 2017-06-16 10:41:12 +0800 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2017-06-19 19:30:41 +0200 |
commit | 3b96572070183a02ee4f085cc55f33b6b297bbc9 (patch) | |
tree | a92400d11c9563cff673d3fa599d6db38b89bf06 | |
parent | 0ec8bc87066e30177c8b64b45967a3268320aeba (diff) | |
download | meta-openembedded-3b96572070183a02ee4f085cc55f33b6b297bbc9.tar.gz |
passwdqc: add new recipe and replace pam-passwdqc
passwdqc is a password/passphrase strength checking and policy
enforcement toolset, including an optional PAM module (pam_passwdqc),
command-line programs(pwqcheck and pwqgen), and a library(libpasswdqc).
pam_passwdqc 1.0.5 is the final version of pam_passwdqc only before
it's turned into passwdqc in 2009, so remove the pam-passwdqc recipe.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
5 files changed, 94 insertions, 205 deletions
diff --git a/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch b/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch deleted file mode 100644 index 366d461eb..000000000 --- a/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch +++ /dev/null | |||
@@ -1,156 +0,0 @@ | |||
1 | diff -urNp pam_passwdqc-1.0.5-orig/pam_passwdqc.c pam_passwdqc-1.0.5/pam_passwdqc.c | ||
2 | --- pam_passwdqc-1.0.5-orig/pam_passwdqc.c 2008-02-12 15:11:13.000000000 -0500 | ||
3 | +++ pam_passwdqc-1.0.5/pam_passwdqc.c 2009-09-28 12:10:32.171696694 -0400 | ||
4 | @@ -70,6 +70,8 @@ typedef struct { | ||
5 | passwdqc_params_t qc; | ||
6 | int flags; | ||
7 | int retry; | ||
8 | + char oldpass_prompt_file[FILE_LEN+1]; | ||
9 | + char newpass_prompt_file[FILE_LEN+1]; | ||
10 | } params_t; | ||
11 | |||
12 | static params_t defaults = { | ||
13 | @@ -79,10 +81,13 @@ static params_t defaults = { | ||
14 | 3, /* passphrase_words */ | ||
15 | 4, /* match_length */ | ||
16 | 1, /* similar_deny */ | ||
17 | - 42 /* random_bits */ | ||
18 | + 42, /* random_bits */ | ||
19 | + 1 /* firstupper_lastdigit_check */ | ||
20 | }, | ||
21 | F_ENFORCE_EVERYONE, /* flags */ | ||
22 | - 3 /* retry */ | ||
23 | + 3, /* retry */ | ||
24 | + "", /* oldpass_prompt_file */ | ||
25 | + "" /* newpass_prompt_file */ | ||
26 | }; | ||
27 | |||
28 | #define PROMPT_OLDPASS \ | ||
29 | @@ -361,6 +366,37 @@ static int parse(params_t *params, pam_h | ||
30 | if (!strcmp(*argv, "use_authtok")) { | ||
31 | params->flags |= F_USE_AUTHTOK; | ||
32 | } else | ||
33 | + if (!strcmp(*argv, "disable_firstupper_lastdigit_check")) { | ||
34 | + params->qc.firstupper_lastdigit_check = 0; | ||
35 | + } else | ||
36 | + if (!strncmp(*argv, "oldpass_prompt_file=", 20)) { | ||
37 | + int n; | ||
38 | + FILE *fp = fopen(*argv + 20, "r"); | ||
39 | + if (fp) { | ||
40 | + n=fread(params->oldpass_prompt_file, sizeof(char), FILE_LEN, fp); | ||
41 | + if (0==n || ferror(fp)!=0 ) { | ||
42 | + memset(params->oldpass_prompt_file, '\0', FILE_LEN+1); | ||
43 | + } | ||
44 | + else { | ||
45 | + feof(fp)? (params->oldpass_prompt_file[n-1]='\0'): (params->oldpass_prompt_file[n]='\0'); | ||
46 | + } | ||
47 | + fclose(fp); | ||
48 | + } | ||
49 | + } else | ||
50 | + if (!strncmp(*argv, "newpass_prompt_file=", 20)) { | ||
51 | + int n; | ||
52 | + FILE *fp = fopen(*argv + 20, "r"); | ||
53 | + if (fp) { | ||
54 | + n=fread(params->newpass_prompt_file, sizeof(char), FILE_LEN, fp); | ||
55 | + if (0==n || ferror(fp)!=0 ) { | ||
56 | + memset(params->newpass_prompt_file, '\0', FILE_LEN+1); | ||
57 | + } | ||
58 | + else { | ||
59 | + feof(fp)? (params->newpass_prompt_file[n-1]='\0'): (params->newpass_prompt_file[n]='\0'); | ||
60 | + } | ||
61 | + fclose(fp); | ||
62 | + } | ||
63 | + } else | ||
64 | break; | ||
65 | argc--; argv++; | ||
66 | } | ||
67 | @@ -406,7 +442,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand | ||
68 | |||
69 | if (ask_oldauthtok && !am_root(pamh)) { | ||
70 | status = converse(pamh, PAM_PROMPT_ECHO_OFF, | ||
71 | - PROMPT_OLDPASS, &resp); | ||
72 | + strlen(params.oldpass_prompt_file) ? params.oldpass_prompt_file : PROMPT_OLDPASS, &resp); | ||
73 | |||
74 | if (status == PAM_SUCCESS) { | ||
75 | if (resp && resp->resp) { | ||
76 | @@ -540,8 +576,7 @@ retry: | ||
77 | MESSAGE_RANDOMFAILED : MESSAGE_MISCONFIGURED); | ||
78 | return PAM_AUTHTOK_ERR; | ||
79 | } | ||
80 | - | ||
81 | - status = converse(pamh, PAM_PROMPT_ECHO_OFF, PROMPT_NEWPASS1, &resp); | ||
82 | + status = converse(pamh, PAM_PROMPT_ECHO_OFF, strlen(params.newpass_prompt_file) ? params.newpass_prompt_file : PROMPT_NEWPASS1, &resp); | ||
83 | if (status == PAM_SUCCESS && (!resp || !resp->resp)) | ||
84 | status = PAM_AUTHTOK_ERR; | ||
85 | |||
86 | diff -urNp pam_passwdqc-1.0.5-orig/passwdqc_check.c pam_passwdqc-1.0.5/passwdqc_check.c | ||
87 | --- pam_passwdqc-1.0.5-orig/passwdqc_check.c 2008-02-12 14:31:52.000000000 -0500 | ||
88 | +++ pam_passwdqc-1.0.5/passwdqc_check.c 2009-09-25 22:45:16.080842425 -0400 | ||
89 | @@ -90,10 +90,12 @@ static int is_simple(passwdqc_params_t * | ||
90 | |||
91 | /* Upper case characters and digits used in common ways don't increase the | ||
92 | * strength of a password */ | ||
93 | - c = (unsigned char)newpass[0]; | ||
94 | - if (uppers && isascii(c) && isupper(c)) uppers--; | ||
95 | - c = (unsigned char)newpass[length - 1]; | ||
96 | - if (digits && isascii(c) && isdigit(c)) digits--; | ||
97 | + if (params->firstupper_lastdigit_check) { | ||
98 | + c = (unsigned char)newpass[0]; | ||
99 | + if (uppers && isascii(c) && isupper(c)) uppers--; | ||
100 | + c = (unsigned char)newpass[length - 1]; | ||
101 | + if (digits && isascii(c) && isdigit(c)) digits--; | ||
102 | + } | ||
103 | |||
104 | /* Count the number of different character classes we've seen. We assume | ||
105 | * that there are no non-ASCII characters for digits. */ | ||
106 | diff -urNp pam_passwdqc-1.0.5-orig/passwdqc.h pam_passwdqc-1.0.5/passwdqc.h | ||
107 | --- pam_passwdqc-1.0.5-orig/passwdqc.h 2008-02-12 14:30:00.000000000 -0500 | ||
108 | +++ pam_passwdqc-1.0.5/passwdqc.h 2009-09-25 14:08:56.214695858 -0400 | ||
109 | @@ -7,12 +7,15 @@ | ||
110 | |||
111 | #include <pwd.h> | ||
112 | |||
113 | +#define FILE_LEN 4096 /* Max file len = 4096 */ | ||
114 | + | ||
115 | typedef struct { | ||
116 | int min[5], max; | ||
117 | int passphrase_words; | ||
118 | int match_length; | ||
119 | int similar_deny; | ||
120 | int random_bits; | ||
121 | + int firstupper_lastdigit_check; | ||
122 | } passwdqc_params_t; | ||
123 | |||
124 | extern char _passwdqc_wordset_4k[0x1000][6]; | ||
125 | diff -urNp pam_passwdqc-1.0.5-orig/README pam_passwdqc-1.0.5/README | ||
126 | --- pam_passwdqc-1.0.5-orig/README 2008-02-12 14:43:33.000000000 -0500 | ||
127 | +++ pam_passwdqc-1.0.5/README 2009-09-28 12:12:40.251016423 -0400 | ||
128 | @@ -41,9 +41,12 @@ words (see the "passphrase" option below | ||
129 | N3 and N4 are used for passwords consisting of characters from three | ||
130 | and four character classes, respectively. | ||
131 | |||
132 | + disable_firstupper_lastdigit_check [] | ||
133 | + | ||
134 | When calculating the number of character classes, upper-case letters | ||
135 | used as the first character and digits used as the last character of a | ||
136 | -password are not counted. | ||
137 | +password are not counted. To disable this, you can specify | ||
138 | +"disable_firstupper_lastdigit_check". | ||
139 | |||
140 | In addition to being sufficiently long, passwords are required to | ||
141 | contain enough different characters for the character classes and | ||
142 | @@ -142,6 +145,14 @@ This disables user interaction within pa | ||
143 | the only difference between "use_first_pass" and "use_authtok" is that | ||
144 | the former is incompatible with "ask_oldauthtok". | ||
145 | |||
146 | + oldpass_prompt_file=absolute-file-path [] | ||
147 | + newpass_prompt_file=abosulte-file-path [] | ||
148 | + | ||
149 | +The options "oldpass_prompt_file" and "newpass_prompt_file" can be used | ||
150 | +to override prompts while requesting old password and new password, | ||
151 | +respectively. The maximum size of the prompt files can be 4096 | ||
152 | +characters at present. If the file size is more than 4096 characters, the | ||
153 | +output will be truncated to 4096 characters. | ||
154 | -- | ||
155 | Solar Designer <solar at openwall.com> | ||
156 | |||
diff --git a/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch b/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch deleted file mode 100644 index 536fba132..000000000 --- a/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch +++ /dev/null | |||
@@ -1,11 +0,0 @@ | |||
1 | --- pam_passwdqc-1.0.5/Makefile.orig 2012-10-02 20:53:55.443592886 +0900 | ||
2 | +++ pam_passwdqc-1.0.5/Makefile 2012-10-02 20:54:19.076108001 +0900 | ||
3 | @@ -2,7 +2,7 @@ | ||
4 | # Copyright (c) 2000-2003,2005 by Solar Designer. See LICENSE. | ||
5 | # | ||
6 | |||
7 | -CC = gcc | ||
8 | +#CC = gcc | ||
9 | LD = $(CC) | ||
10 | RM = rm -f | ||
11 | MKDIR = mkdir -p | ||
diff --git a/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb b/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb deleted file mode 100644 index cb9aa22cf..000000000 --- a/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | SUMMARY = "Pluggable password quality-control module." | ||
2 | DESCRIPTION = "pam_passwdqc is a simple password strength checking module for \ | ||
3 | PAM-aware password changing programs, such as passwd(1). In addition \ | ||
4 | to checking regular passwords, it offers support for passphrases and \ | ||
5 | can provide randomly generated passwords. All features are optional \ | ||
6 | and can be (re-)configured without rebuilding." | ||
7 | |||
8 | HOMEPAGE = "http://www.openwall.com/passwdqc/" | ||
9 | SECTION = "System Environment/Base" | ||
10 | |||
11 | LICENSE = "BSD" | ||
12 | LIC_FILES_CHKSUM = "file://LICENSE;md5=e284d013ef08e66d4737f446c5890550" | ||
13 | |||
14 | SRC_URI = "http://www.openwall.com/pam/modules/pam_passwdqc/pam_passwdqc-1.0.5.tar.gz \ | ||
15 | file://1000patch-219201.patch \ | ||
16 | file://7000Makefile-fix-CC.patch \ | ||
17 | " | ||
18 | SRC_URI[md5sum] = "cd9c014f736158b1a60384a8e2bdc28a" | ||
19 | SRC_URI[sha256sum] = "32528ddf7d8219c788b6e7702361611ff16c6340b6dc0f418ff164aadc4a4a88" | ||
20 | |||
21 | |||
22 | S = "${WORKDIR}/pam_passwdqc-${PV}" | ||
23 | |||
24 | DEPENDS = "libpam" | ||
25 | |||
26 | EXTRA_OEMAKE = "CFLAGS="${CFLAGS} -Wall -fPIC -DHAVE_SHADOW" \ | ||
27 | SECUREDIR=${base_libdir}/security \ | ||
28 | " | ||
29 | |||
30 | TARGET_CC_ARCH += "${LDFLAGS}" | ||
31 | |||
32 | do_install() { | ||
33 | oe_runmake install DESTDIR=${D} | ||
34 | } | ||
35 | |||
36 | FILES_${PN} += "${base_libdir}/security/pam_passwdqc.so" | ||
37 | FILES_${PN}-dbg += "${base_libdir}/security/.debug" | ||
38 | |||
diff --git a/meta-oe/recipes-support/passwdqc/passwdqc/makefile-add-ldflags.patch b/meta-oe/recipes-support/passwdqc/passwdqc/makefile-add-ldflags.patch new file mode 100644 index 000000000..e9023492e --- /dev/null +++ b/meta-oe/recipes-support/passwdqc/passwdqc/makefile-add-ldflags.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | Add LDFLAGS variable to Makefile so that extra linker flags can be sent via this variable. | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
6 | |||
7 | diff --git a/Makefile b/Makefile | ||
8 | index 49d622d..cd17334 100644 | ||
9 | --- a/Makefile | ||
10 | +++ b/Makefile | ||
11 | @@ -48,18 +48,17 @@ CFLAGS = -Wall -W -O2 | ||
12 | CFLAGS_lib = $(CFLAGS) -fPIC | ||
13 | CFLAGS_bin = $(CFLAGS) -fomit-frame-pointer | ||
14 | |||
15 | -LDFLAGS = | ||
16 | LDFLAGS_shared = --shared | ||
17 | LDFLAGS_shared_LINUX = --shared | ||
18 | LDFLAGS_shared_SUN = -G | ||
19 | LDFLAGS_shared_HP = -b | ||
20 | LDFLAGS_lib = $(LDFLAGS_shared) | ||
21 | -LDFLAGS_lib_LINUX = $(LDFLAGS_shared_LINUX) \ | ||
22 | +LDFLAGS_lib_LINUX = $(LDFLAGS) $(LDFLAGS_shared_LINUX) \ | ||
23 | -Wl,--soname,$(SHARED_LIB),--version-script,$(MAP_LIB) | ||
24 | LDFLAGS_lib_SUN = $(LDFLAGS_shared_SUN) | ||
25 | LDFLAGS_lib_HP = $(LDFLAGS_shared_HP) | ||
26 | LDFLAGS_pam = $(LDFLAGS_shared) | ||
27 | -LDFLAGS_pam_LINUX = $(LDFLAGS_shared_LINUX) \ | ||
28 | +LDFLAGS_pam_LINUX = $(LDFLAGS) $(LDFLAGS_shared_LINUX) \ | ||
29 | -Wl,--version-script,$(MAP_PAM) | ||
30 | LDFLAGS_pam_SUN = $(LDFLAGS_shared_SUN) | ||
31 | LDFLAGS_pam_HP = $(LDFLAGS_shared_HP) | ||
diff --git a/meta-oe/recipes-support/passwdqc/passwdqc_1.3.1.bb b/meta-oe/recipes-support/passwdqc/passwdqc_1.3.1.bb new file mode 100644 index 000000000..b8f923c29 --- /dev/null +++ b/meta-oe/recipes-support/passwdqc/passwdqc_1.3.1.bb | |||
@@ -0,0 +1,63 @@ | |||
1 | SUMMARY = "A password/passphrase strength checking and enforcement toolset" | ||
2 | DESCRIPTION = "\ | ||
3 | passwdqc is a password/passphrase strength checking and policy enforcement \ | ||
4 | toolset, including an optional PAM module (pam_passwdqc), command-line \ | ||
5 | programs (pwqcheck and pwqgen), and a library (libpasswdqc). \ | ||
6 | pam_passwdqc is normally invoked on password changes by programs such as \ | ||
7 | passwd(1). It is capable of checking password or passphrase strength, \ | ||
8 | enforcing a policy, and offering randomly-generated passphrases, with \ | ||
9 | all of these features being optional and easily (re-)configurable. \ | ||
10 | \ | ||
11 | pwqcheck and pwqgen are standalone password/passphrase strength checking \ | ||
12 | and random passphrase generator programs, respectively, which are usable \ | ||
13 | from scripts. \ | ||
14 | \ | ||
15 | libpasswdqc is the underlying library, which may also be used from \ | ||
16 | third-party programs. \ | ||
17 | " | ||
18 | |||
19 | HOMEPAGE = "http://www.openwall.com/passwdqc" | ||
20 | SECTION = "System Environment/Base" | ||
21 | |||
22 | DEPENDS += "libpam" | ||
23 | |||
24 | LICENSE = "BSD" | ||
25 | LIC_FILES_CHKSUM = "file://LICENSE;md5=1b4af6f3d4ee079a38107366e93b334d" | ||
26 | |||
27 | SRC_URI = "http://www.openwall.com/${BPN}/${BP}.tar.gz \ | ||
28 | file://makefile-add-ldflags.patch \ | ||
29 | " | ||
30 | SRC_URI[md5sum] = "3878b57bcd3fdbcf3d4b362dbc6228b9" | ||
31 | SRC_URI[sha256sum] = "d1fedeaf759e8a0f32d28b5811ef11b5a5365154849190f4b7fab670a70ffb14" | ||
32 | |||
33 | # explicitly define LINUX_PAM in case DISTRO_FEATURES no pam | ||
34 | # this package's pam_passwdqc.so needs pam | ||
35 | CFLAGS_append += "-Wall -fPIC -DHAVE_SHADOW -DLINUX_PAM" | ||
36 | |||
37 | # -e is no longer default setting in bitbake.conf | ||
38 | EXTRA_OEMAKE = "-e" | ||
39 | |||
40 | do_compile() { | ||
41 | # make sure sub make use environment to override variables in Makefile | ||
42 | # Linux) $(MAKE), there is a tab between | ||
43 | sed -i -e 's/Linux) $(MAKE) CFLAGS_lib/Linux) $(MAKE) -e CFLAGS_lib/' ${S}/Makefile | ||
44 | |||
45 | # LD_lib and LD must be CC because of Makefile | ||
46 | oe_runmake LD="${CC}" | ||
47 | } | ||
48 | |||
49 | do_install() { | ||
50 | oe_runmake install DESTDIR=${D} SHARED_LIBDIR=${base_libdir} \ | ||
51 | DEVEL_LIBDIR=${libdir} SECUREDIR=${base_libdir}/security \ | ||
52 | INSTALL="install -p" | ||
53 | } | ||
54 | |||
55 | PROVIDES += "pam-${BPN}" | ||
56 | PACKAGES =+ "lib${BPN} pam-${BPN}" | ||
57 | |||
58 | FILES_lib${BPN} = "${base_libdir}/libpasswdqc.so.0" | ||
59 | FILES_pam-${BPN} = "${base_libdir}/security/pam_passwdqc.so" | ||
60 | FILES_${PN}-dbg += "${base_libdir}/security/.debug" | ||
61 | |||
62 | RDEPENDS_${PN} = "lib${BPN}" | ||
63 | RDEPENDS_pam-${BPN} = "lib${BPN}" | ||