pam_passwdqc: new recipe

pam_passwdqc is a simple password strength checking module for PAM-aware password changing programs, such as passwd(1). It is capable of checking password or passphrase strength,enforcing a policy, and offering randomly-generated passphrases,with all of these features being optional and easily (re-)configurable. Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Li xin <lixin.fnst@cn.fujitsu.com> 2014-11-10 09:29:46 +0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2014-11-24 11:58:31 +0100
commit: 1fc4d862c394e588a7a771062c6aec7b5a6d8a03 (patch)
tree: 4e5d84f33b53c68b8bfb0026343df4e6ff1cf83b /meta-oe
parent: d30784ef047850a9d496f2ad312b73d16e911156 (diff)
download: meta-openembedded-1fc4d862c394e588a7a771062c6aec7b5a6d8a03.tar.gz
3 files changed, 201 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch b/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch
new file mode 100644
index 000000000..366d461eb
--- /dev/null
+++ b/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch
@@ -0,0 +1,156 @@
+diff -urNp pam_passwdqc-1.0.5-orig/pam_passwdqc.c pam_passwdqc-1.0.5/pam_passwdqc.c
+--- pam_passwdqc-1.0.5-orig/pam_passwdqc.c      2008-02-12 15:11:13.000000000 -0500
+++ pam_passwdqc-1.0.5/pam_passwdqc.c   2009-09-28 12:10:32.171696694 -0400
+@@ -70,6 +70,8 @@ typedef struct {
+        passwdqc_params_t qc;
+        int flags;
+        int retry;
+       char oldpass_prompt_file[FILE_LEN+1];
+       char newpass_prompt_file[FILE_LEN+1];
+ } params_t;
+ 
+ static params_t defaults = {
+@@ -79,10 +81,13 @@ static params_t defaults = {
+                3,                              /* passphrase_words */
+                4,                              /* match_length */
+                1,                              /* similar_deny */
+-               42                              /* random_bits */
+               42,                             /* random_bits */
+               1                               /* firstupper_lastdigit_check */
+        },
+        F_ENFORCE_EVERYONE,                     /* flags */
+-       3                                       /* retry */
+       3,                                      /* retry */
+       "",                                     /* oldpass_prompt_file */
+       ""                                      /* newpass_prompt_file */
+ };
+ 
+ #define PROMPT_OLDPASS \
+@@ -361,6 +366,37 @@ static int parse(params_t *params, pam_h
+                if (!strcmp(*argv, "use_authtok")) {
+                        params->flags |= F_USE_AUTHTOK;
+                } else
+               if (!strcmp(*argv, "disable_firstupper_lastdigit_check")) {
+                       params->qc.firstupper_lastdigit_check = 0;
+               } else
+               if (!strncmp(*argv, "oldpass_prompt_file=", 20)) {
+                       int n;
+                       FILE *fp = fopen(*argv + 20, "r");
+                       if (fp) {
+                               n=fread(params->oldpass_prompt_file, sizeof(char), FILE_LEN, fp);
+                               if (0==n || ferror(fp)!=0 ) {
+                                       memset(params->oldpass_prompt_file, '\0', FILE_LEN+1);
+                               }
+                               else {
+                                       feof(fp)? (params->oldpass_prompt_file[n-1]='\0'): (params->oldpass_prompt_file[n]='\0');
+                               }
+                               fclose(fp);
+                       }
+               } else
+               if (!strncmp(*argv, "newpass_prompt_file=", 20)) {
+                       int n;
+                       FILE *fp = fopen(*argv + 20, "r");
+                       if (fp) {
+                               n=fread(params->newpass_prompt_file, sizeof(char), FILE_LEN, fp);
+                               if (0==n || ferror(fp)!=0 ) {
+                                       memset(params->newpass_prompt_file, '\0', FILE_LEN+1);
+                               }
+                               else {
+                                        feof(fp)? (params->newpass_prompt_file[n-1]='\0'): (params->newpass_prompt_file[n]='\0');
+                               }
+                               fclose(fp);
+                       }
+               } else
+                        break;
+                argc--; argv++;
+        }
+@@ -406,7 +442,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+ 
+        if (ask_oldauthtok && !am_root(pamh)) {
+                status = converse(pamh, PAM_PROMPT_ECHO_OFF,
+-                   PROMPT_OLDPASS, &resp);
+                   strlen(params.oldpass_prompt_file) ? params.oldpass_prompt_file : PROMPT_OLDPASS, &resp);
+ 
+                if (status == PAM_SUCCESS) {
+                        if (resp && resp->resp) {
+@@ -540,8 +576,7 @@ retry:
+                    MESSAGE_RANDOMFAILED : MESSAGE_MISCONFIGURED);
+                return PAM_AUTHTOK_ERR;
+        }
+-
+-       status = converse(pamh, PAM_PROMPT_ECHO_OFF, PROMPT_NEWPASS1, &resp);
+       status = converse(pamh, PAM_PROMPT_ECHO_OFF, strlen(params.newpass_prompt_file) ? params.newpass_prompt_file : PROMPT_NEWPASS1, &resp);
+        if (status == PAM_SUCCESS && (!resp || !resp->resp))
+                status = PAM_AUTHTOK_ERR;
+ 
+diff -urNp pam_passwdqc-1.0.5-orig/passwdqc_check.c pam_passwdqc-1.0.5/passwdqc_check.c
+--- pam_passwdqc-1.0.5-orig/passwdqc_check.c    2008-02-12 14:31:52.000000000 -0500
+++ pam_passwdqc-1.0.5/passwdqc_check.c 2009-09-25 22:45:16.080842425 -0400
+@@ -90,10 +90,12 @@ static int is_simple(passwdqc_params_t *
+ 
+ /* Upper case characters and digits used in common ways don't increase the
+  * strength of a password */
+-       c = (unsigned char)newpass[0];
+-       if (uppers && isascii(c) && isupper(c)) uppers--;
+-       c = (unsigned char)newpass[length - 1];
+-       if (digits && isascii(c) && isdigit(c)) digits--;
+       if (params->firstupper_lastdigit_check) {
+               c = (unsigned char)newpass[0];
+               if (uppers && isascii(c) && isupper(c)) uppers--;
+               c = (unsigned char)newpass[length - 1];
+               if (digits && isascii(c) && isdigit(c)) digits--;
+       }
+ 
+ /* Count the number of different character classes we've seen.  We assume
+  * that there are no non-ASCII characters for digits. */
+diff -urNp pam_passwdqc-1.0.5-orig/passwdqc.h pam_passwdqc-1.0.5/passwdqc.h
+--- pam_passwdqc-1.0.5-orig/passwdqc.h  2008-02-12 14:30:00.000000000 -0500
+++ pam_passwdqc-1.0.5/passwdqc.h       2009-09-25 14:08:56.214695858 -0400
+@@ -7,12 +7,15 @@
+ 
+ #include <pwd.h>
+ 
+#define FILE_LEN               4096    /* Max file len = 4096 */
+
+ typedef struct {
+        int min[5], max;
+        int passphrase_words;
+        int match_length;
+        int similar_deny;
+        int random_bits;
+       int firstupper_lastdigit_check;
+ } passwdqc_params_t;
+ 
+ extern char _passwdqc_wordset_4k[0x1000][6];
+diff -urNp pam_passwdqc-1.0.5-orig/README pam_passwdqc-1.0.5/README
+--- pam_passwdqc-1.0.5-orig/README      2008-02-12 14:43:33.000000000 -0500
+++ pam_passwdqc-1.0.5/README   2009-09-28 12:12:40.251016423 -0400
+@@ -41,9 +41,12 @@ words (see the "passphrase" option below
+ N3 and N4 are used for passwords consisting of characters from three
+ and four character classes, respectively.
+ 
+       disable_firstupper_lastdigit_check      []
+
+ When calculating the number of character classes, upper-case letters
+ used as the first character and digits used as the last character of a
+-password are not counted.
+password are not counted. To disable this, you can specify 
+"disable_firstupper_lastdigit_check".
+ 
+ In addition to being sufficiently long, passwords are required to
+ contain enough different characters for the character classes and
+@@ -142,6 +145,14 @@ This disables user interaction within pa
+ the only difference between "use_first_pass" and "use_authtok" is that
+ the former is incompatible with "ask_oldauthtok".
+ 
+       oldpass_prompt_file=absolute-file-path  []
+       newpass_prompt_file=abosulte-file-path  []
+
+The options "oldpass_prompt_file" and "newpass_prompt_file" can be used
+to override prompts while requesting old password and new password, 
+respectively. The maximum size of the prompt files can be 4096 
+characters at present. If the file size is more than 4096 characters, the
+output will be truncated to 4096 characters.
+ -- 
+ Solar Designer <solar at openwall.com>
+ 
diff --git a/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch b/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch
new file mode 100644
index 000000000..536fba132
--- /dev/null
+++ b/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch
@@ -0,0 +1,11 @@
+--- pam_passwdqc-1.0.5/Makefile.orig    2012-10-02 20:53:55.443592886 +0900
+++ pam_passwdqc-1.0.5/Makefile 2012-10-02 20:54:19.076108001 +0900
+@@ -2,7 +2,7 @@
+ # Copyright (c) 2000-2003,2005 by Solar Designer.  See LICENSE.
+ #
+ 
+-CC = gcc
+#CC = gcc
+ LD = $(CC)
+ RM = rm -f
+ MKDIR = mkdir -p
diff --git a/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb b/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb
new file mode 100644
index 000000000..4add367d5
--- /dev/null
+++ b/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb
@@ -0,0 +1,34 @@
+SUMMARY = "Pluggable password quality-control module."
+DESCRIPTION = "pam_passwdqc is a simple password strength checking module for \
+PAM-aware password changing programs, such as passwd(1). In addition \
+to checking regular passwords, it offers support for passphrases and \
+can provide randomly generated passwords. All features are optional \
+and can be (re-)configured without rebuilding."
+HOMEPAGE = "http://www.openwall.com/passwdqc/"
+SECTION = "System Environment/Base"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e284d013ef08e66d4737f446c5890550"
+SRC_URI = "http://www.openwall.com/pam/modules/pam_passwdqc/pam_passwdqc-1.0.5.tar.gz \
+           file://1000patch-219201.patch \
+           file://7000Makefile-fix-CC.patch \
+          "
+SRC_URI[md5sum] = "cd9c014f736158b1a60384a8e2bdc28a"
+SRC_URI[sha256sum] = "32528ddf7d8219c788b6e7702361611ff16c6340b6dc0f418ff164aadc4a4a88"
+S = "${WORKDIR}/pam_passwdqc-${PV}"
+DEPENDS = "libpam"
+EXTRA_OEMAKE = "CFLAGS="${CFLAGS} -Wall -fPIC -DHAVE_SHADOW""
+do_install() {
+        oe_runmake install DESTDIR=${D}
+}
+FILES_${PN} += "/lib/security/pam_passwdqc.so"
+FILES_${PN}-dbg += "/lib/security/.debug"
author	Li xin <lixin.fnst@cn.fujitsu.com>	2014-11-10 09:29:46 +0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2014-11-24 11:58:31 +0100
commit	1fc4d862c394e588a7a771062c6aec7b5a6d8a03 (patch)
tree	4e5d84f33b53c68b8bfb0026343df4e6ff1cf83b /meta-oe
parent	d30784ef047850a9d496f2ad312b73d16e911156 (diff)
download	meta-openembedded-1fc4d862c394e588a7a771062c6aec7b5a6d8a03.tar.gz

diff --git a/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch b/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch new file mode 100644 index 000000000..366d461eb --- /dev/null +++ b/meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch
@@ -0,0 +1,156 @@
	1	diff -urNp pam_passwdqc-1.0.5-orig/pam_passwdqc.c pam_passwdqc-1.0.5/pam_passwdqc.c
	2	--- pam_passwdqc-1.0.5-orig/pam_passwdqc.c 2008-02-12 15:11:13.000000000 -0500
	3	+++ pam_passwdqc-1.0.5/pam_passwdqc.c 2009-09-28 12:10:32.171696694 -0400
	4	@@ -70,6 +70,8 @@ typedef struct {
	5	passwdqc_params_t qc;
	6	int flags;
	7	int retry;
	8	+ char oldpass_prompt_file[FILE_LEN+1];
	9	+ char newpass_prompt_file[FILE_LEN+1];
	10	} params_t;
	11
	12	static params_t defaults = {
	13	@@ -79,10 +81,13 @@ static params_t defaults = {
	14	3, /* passphrase_words */
	15	4, /* match_length */
	16	1, /* similar_deny */
	17	- 42 /* random_bits */
	18	+ 42, /* random_bits */
	19	+ 1 /* firstupper_lastdigit_check */
	20	},
	21	F_ENFORCE_EVERYONE, /* flags */
	22	- 3 /* retry */
	23	+ 3, /* retry */
	24	+ "", /* oldpass_prompt_file */
	25	+ "" /* newpass_prompt_file */
	26	};
	27
	28	#define PROMPT_OLDPASS \
	29	@@ -361,6 +366,37 @@ static int parse(params_t *params, pam_h
	30	if (!strcmp(*argv, "use_authtok")) {
	31	params->flags \|= F_USE_AUTHTOK;
	32	} else
	33	+ if (!strcmp(*argv, "disable_firstupper_lastdigit_check")) {
	34	+ params->qc.firstupper_lastdigit_check = 0;
	35	+ } else
	36	+ if (!strncmp(*argv, "oldpass_prompt_file=", 20)) {
	37	+ int n;
	38	+ FILE fp = fopen(argv + 20, "r");
	39	+ if (fp) {
	40	+ n=fread(params->oldpass_prompt_file, sizeof(char), FILE_LEN, fp);
	41	+ if (0==n \|\| ferror(fp)!=0 ) {
	42	+ memset(params->oldpass_prompt_file, '\0', FILE_LEN+1);
	43	+ }
	44	+ else {
	45	+ feof(fp)? (params->oldpass_prompt_file[n-1]='\0'): (params->oldpass_prompt_file[n]='\0');
	46	+ }
	47	+ fclose(fp);
	48	+ }
	49	+ } else
	50	+ if (!strncmp(*argv, "newpass_prompt_file=", 20)) {
	51	+ int n;
	52	+ FILE fp = fopen(argv + 20, "r");
	53	+ if (fp) {
	54	+ n=fread(params->newpass_prompt_file, sizeof(char), FILE_LEN, fp);
	55	+ if (0==n \|\| ferror(fp)!=0 ) {
	56	+ memset(params->newpass_prompt_file, '\0', FILE_LEN+1);
	57	+ }
	58	+ else {
	59	+ feof(fp)? (params->newpass_prompt_file[n-1]='\0'): (params->newpass_prompt_file[n]='\0');
	60	+ }
	61	+ fclose(fp);
	62	+ }
	63	+ } else
	64	break;
	65	argc--; argv++;
	66	}
	67	@@ -406,7 +442,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
	68
	69	if (ask_oldauthtok && !am_root(pamh)) {
	70	status = converse(pamh, PAM_PROMPT_ECHO_OFF,
	71	- PROMPT_OLDPASS, &resp);
	72	+ strlen(params.oldpass_prompt_file) ? params.oldpass_prompt_file : PROMPT_OLDPASS, &resp);
	73
	74	if (status == PAM_SUCCESS) {
	75	if (resp && resp->resp) {
	76	@@ -540,8 +576,7 @@ retry:
	77	MESSAGE_RANDOMFAILED : MESSAGE_MISCONFIGURED);
	78	return PAM_AUTHTOK_ERR;
	79	}
	80	-
	81	- status = converse(pamh, PAM_PROMPT_ECHO_OFF, PROMPT_NEWPASS1, &resp);
	82	+ status = converse(pamh, PAM_PROMPT_ECHO_OFF, strlen(params.newpass_prompt_file) ? params.newpass_prompt_file : PROMPT_NEWPASS1, &resp);
	83	if (status == PAM_SUCCESS && (!resp \|\| !resp->resp))
	84	status = PAM_AUTHTOK_ERR;
	85
	86	diff -urNp pam_passwdqc-1.0.5-orig/passwdqc_check.c pam_passwdqc-1.0.5/passwdqc_check.c
	87	--- pam_passwdqc-1.0.5-orig/passwdqc_check.c 2008-02-12 14:31:52.000000000 -0500
	88	+++ pam_passwdqc-1.0.5/passwdqc_check.c 2009-09-25 22:45:16.080842425 -0400
	89	@@ -90,10 +90,12 @@ static int is_simple(passwdqc_params_t *
	90
	91	/* Upper case characters and digits used in common ways don't increase the
	92	* strength of a password */
	93	- c = (unsigned char)newpass[0];
	94	- if (uppers && isascii(c) && isupper(c)) uppers--;
	95	- c = (unsigned char)newpass[length - 1];
	96	- if (digits && isascii(c) && isdigit(c)) digits--;
	97	+ if (params->firstupper_lastdigit_check) {
	98	+ c = (unsigned char)newpass[0];
	99	+ if (uppers && isascii(c) && isupper(c)) uppers--;
	100	+ c = (unsigned char)newpass[length - 1];
	101	+ if (digits && isascii(c) && isdigit(c)) digits--;
	102	+ }
	103
	104	/* Count the number of different character classes we've seen. We assume
	105	* that there are no non-ASCII characters for digits. */
	106	diff -urNp pam_passwdqc-1.0.5-orig/passwdqc.h pam_passwdqc-1.0.5/passwdqc.h
	107	--- pam_passwdqc-1.0.5-orig/passwdqc.h 2008-02-12 14:30:00.000000000 -0500
	108	+++ pam_passwdqc-1.0.5/passwdqc.h 2009-09-25 14:08:56.214695858 -0400
	109	@@ -7,12 +7,15 @@
	110
	111	#include <pwd.h>
	112
	113	+#define FILE_LEN 4096 /* Max file len = 4096 */
	114	+
	115	typedef struct {
	116	int min[5], max;
	117	int passphrase_words;
	118	int match_length;
	119	int similar_deny;
	120	int random_bits;
	121	+ int firstupper_lastdigit_check;
	122	} passwdqc_params_t;
	123
	124	extern char _passwdqc_wordset_4k[0x1000][6];
	125	diff -urNp pam_passwdqc-1.0.5-orig/README pam_passwdqc-1.0.5/README
	126	--- pam_passwdqc-1.0.5-orig/README 2008-02-12 14:43:33.000000000 -0500
	127	+++ pam_passwdqc-1.0.5/README 2009-09-28 12:12:40.251016423 -0400
	128	@@ -41,9 +41,12 @@ words (see the "passphrase" option below
	129	N3 and N4 are used for passwords consisting of characters from three
	130	and four character classes, respectively.
	131
	132	+ disable_firstupper_lastdigit_check []
	133	+
	134	When calculating the number of character classes, upper-case letters
	135	used as the first character and digits used as the last character of a
	136	-password are not counted.
	137	+password are not counted. To disable this, you can specify
	138	+"disable_firstupper_lastdigit_check".
	139
	140	In addition to being sufficiently long, passwords are required to
	141	contain enough different characters for the character classes and
	142	@@ -142,6 +145,14 @@ This disables user interaction within pa
	143	the only difference between "use_first_pass" and "use_authtok" is that
	144	the former is incompatible with "ask_oldauthtok".
	145
	146	+ oldpass_prompt_file=absolute-file-path []
	147	+ newpass_prompt_file=abosulte-file-path []
	148	+
	149	+The options "oldpass_prompt_file" and "newpass_prompt_file" can be used
	150	+to override prompts while requesting old password and new password,
	151	+respectively. The maximum size of the prompt files can be 4096
	152	+characters at present. If the file size is more than 4096 characters, the
	153	+output will be truncated to 4096 characters.
	154	--
	155	Solar Designer <solar at openwall.com>
	156


diff --git a/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch b/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch new file mode 100644 index 000000000..536fba132 --- /dev/null +++ b/meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch
@@ -0,0 +1,11 @@
	1	--- pam_passwdqc-1.0.5/Makefile.orig 2012-10-02 20:53:55.443592886 +0900
	2	+++ pam_passwdqc-1.0.5/Makefile 2012-10-02 20:54:19.076108001 +0900
	3	@@ -2,7 +2,7 @@
	4	# Copyright (c) 2000-2003,2005 by Solar Designer. See LICENSE.
	5	#
	6
	7	-CC = gcc
	8	+#CC = gcc
	9	LD = $(CC)
	10	RM = rm -f
	11	MKDIR = mkdir -p


diff --git a/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb b/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb new file mode 100644 index 000000000..4add367d5 --- /dev/null +++ b/meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb
@@ -0,0 +1,34 @@
	1	SUMMARY = "Pluggable password quality-control module."
	2	DESCRIPTION = "pam_passwdqc is a simple password strength checking module for \
	3	PAM-aware password changing programs, such as passwd(1). In addition \
	4	to checking regular passwords, it offers support for passphrases and \
	5	can provide randomly generated passwords. All features are optional \
	6	and can be (re-)configured without rebuilding."
	7
	8	HOMEPAGE = "http://www.openwall.com/passwdqc/"
	9	SECTION = "System Environment/Base"
	10
	11	LICENSE = "BSD"
	12	LIC_FILES_CHKSUM = "file://LICENSE;md5=e284d013ef08e66d4737f446c5890550"
	13
	14	SRC_URI = "http://www.openwall.com/pam/modules/pam_passwdqc/pam_passwdqc-1.0.5.tar.gz \
	15	file://1000patch-219201.patch \
	16	file://7000Makefile-fix-CC.patch \
	17	"
	18	SRC_URI[md5sum] = "cd9c014f736158b1a60384a8e2bdc28a"
	19	SRC_URI[sha256sum] = "32528ddf7d8219c788b6e7702361611ff16c6340b6dc0f418ff164aadc4a4a88"
	20
	21
	22	S = "${WORKDIR}/pam_passwdqc-${PV}"
	23
	24	DEPENDS = "libpam"
	25
	26	EXTRA_OEMAKE = "CFLAGS="${CFLAGS} -Wall -fPIC -DHAVE_SHADOW""
	27
	28	do_install() {
	29	oe_runmake install DESTDIR=${D}
	30	}
	31
	32	FILES_${PN} += "/lib/security/pam_passwdqc.so"
	33	FILES_${PN}-dbg += "/lib/security/.debug"
	34