[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

A code change in cracklib



I have made some changes to the cracklib module. I am not sure of
the correct format to provice the changes in, In the diffs below
the file.ship is from the shipment and the file with not extra
stuff is the changed file. I can move the files around and re-do
the diff if there is a better way.

This is the code changes, changes to the documentation is in another
message.


These changes are to enable the use of the cracklib with long
passwords as avaiable with md5. I use md5 and shadow on one of
the systems here and found that cracklib's requirment of at
least 1/2 of the chars different in the new password was getting
in my way. as well as the restruction on length not being 
long enought. See the comments in the code and the documentation.
In addtiion I added to the documentation for cracklib after I figured
out what the rules where.

----------------------cut here------------------------------------
*** modules/pam_cracklib/pam_cracklib.c.ship	Thu Jul 17 08:59:15 1997
--- modules/pam_cracklib/pam_cracklib.c	Fri Jul 18 07:54:51 1997
***************
*** 1,6 ****
--- 1,7 ----
  /* pam_cracklib module */
  
  /*
+  * 0.8A added six new options to use this with md5 passwords.
   * 0.8. tidied output and improved D(()) usage for debugging.
   * 0.7. added support for more obscure checks for new passwd.
   * 0.6. root can reset user passwd to any values (it's only warned)
***************
*** 12,22 ****
--- 13,38 ----
   */
  /*
   * Written by Cristian Gafton <gafton@sorosis.ro> 1996/09/10
+  * Modified by Philip W. Dalrymple <pwd@mdtsoft.com> 1997/07/18
   * See the end of the file for Copyright Information
   */
+ /*
+  * Modification for MD5 and other long password systems.
+ The original module had problems when used in a md5 password system
+ in that it allowed too short password but required that at least
+ half of the bytes in the new password did not appear in the old one.
+ this action is still the default and the changes should not break
+ any current user. This modification adds 6 new options, one to
+ set the number of bytes in the new password that are not in 
+ the old one, the other five to control the length checking, these
+ are all documented (or will be befor anyone else sees this code) in 
+ the PAM S.A.G. in the section on the cracklib module.
+  */
  
  #include <stdio.h>
+ /************ not needed for development defined elsewere
  #define __USE_BSD
+ ********************************/
  #include <unistd.h>
  #include <stdlib.h>
  #include <string.h>
***************
*** 70,75 ****
--- 86,97 ----
  
  /* module data */
  static int retry_times = 0;
+ static int diff_ok = 10;
+ static int min_length = 9;
+ static int dig_credit = 1;
+ static int up_credit = 1;
+ static int low_credit = 1;
+ static int oth_credit = 1;
  static char prompt_type[BUFSIZ];
  
  static int _pam_parse(int argc, const char **argv)
***************
*** 90,95 ****
--- 112,147 ----
                 retry_times = strtol(*argv+6,&ep,10);
                 if (!ep || (retry_times < 1))
                      retry_times = 1;
+           } else if (!strncmp(*argv,"difok=",6)) {
+                char *ep = NULL;
+                diff_ok = strtol(*argv+6,&ep,10);
+                if (!ep || (diff_ok < 0))
+                     diff_ok = 10;
+           } else if (!strncmp(*argv,"minlen=",7)) {
+                char *ep = NULL;
+                min_length = strtol(*argv+7,&ep,10);
+                if (!ep || (min_length < 5))
+                     min_length = 5;
+           } else if (!strncmp(*argv,"dcredit=",8)) {
+                char *ep = NULL;
+                dig_credit = strtol(*argv+8,&ep,10);
+                if (!ep || (dig_credit < 0))
+                     dig_credit = 0;
+           } else if (!strncmp(*argv,"ucredit=",8)) {
+                char *ep = NULL;
+                up_credit = strtol(*argv+8,&ep,10);
+                if (!ep || (up_credit < 0))
+                     up_credit = 0;
+           } else if (!strncmp(*argv,"lcredit=",8)) {
+                char *ep = NULL;
+                low_credit = strtol(*argv+8,&ep,10);
+                if (!ep || (low_credit < 0))
+                     low_credit = 0;
+           } else if (!strncmp(*argv,"ocredit=",8)) {
+                char *ep = NULL;
+                oth_credit = strtol(*argv+8,&ep,10);
+                if (!ep || (oth_credit < 0))
+                     oth_credit = 0;
            } else {
                 _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
            }
***************
*** 196,201 ****
--- 248,258 ----
  
  /*
   * more than half of the characters are different ones.
+  * or at least diff_ok are different
+  * NOTE that the defaults are NOT the same as befor this
+  * change. as long as there are at least 10 different bytes
+  * in a new password it will now pass even if the password
+  * is longer than 20 bytes (MD5)
   */
  static int similiar(const char *old, const char *new)
  {
***************
*** 205,210 ****
--- 262,269 ----
  		if (strchr (new, old[i]))
  			j++;
  
+ 	if(j >= diff_ok) 
+ 		return 0;
  	if (i >= j * 2)
  		return 0;
  
***************
*** 237,249 ****
  	/*
  	 * The scam is this - a password of only one character type
  	 * must be 8 letters long.  Two types, 7, and so on.
  	 */
  
! 	size = 9;
! 	if (digits) size--;
! 	if (uppers) size--;
! 	if (lowers) size--;
! 	if (others) size--;
  
  	if (size <= i)
  		return 0;
--- 296,323 ----
  	/*
  	 * The scam is this - a password of only one character type
  	 * must be 8 letters long.  Two types, 7, and so on.
+ 	 * This is now changed, the base size and the credits or defaults
+ 	 * see the docs on the module for info on these parameters, the
+ 	 * defaults cause the effect to be the same as befor the change
  	 */
  
! 	if(digits > dig_credit) {
! 		digits = dig_credit;
! 		}
! 	if(uppers > up_credit) {
! 		uppers = up_credit;
! 		}
! 	if(lowers > low_credit) {
! 		lowers = low_credit;
! 		}
! 	if(others > oth_credit) {
! 		others = oth_credit;
! 		}
! 	size = min_length;
! 	size -= digits;
! 	size -= uppers;
! 	size -= lowers;
! 	size -= others;
  
  	if (size <= i)
  		return 0;
***************
*** 592,597 ****
--- 666,689 ----
  #endif
  
  /*
+  * Modificaton Copyright (c) Philip W. Dalrymple III <pwd@mdtsoft.com>
+  *       1997. All rights reserved
+  *       Redistribution under the same conditions as noted for the
+  *       original program. 
+  *
+  * THE MODIFICATION THAT PROVIDES SUPPORT FOR MD5 TYPE CHECKING TO
+  * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
+  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+  * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+  * OF THE POSSIBILITY OF SUCH DAMAGE.
+  *
   * Copyright (c) Cristian Gafton <gafton@sorosis.ro>, 1996.
   *                                              All rights reserved
   *
----------------------cut here------------------------------------
-- 
Philip W. Dalrymple III <pwd@mdtsoft.com>
This article is a natural product.  The slight variations in spelling and
grammar enhance its individual character and beauty and in no way are to 
be considered flaws or defects.
+1 770 642 3001



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []