[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_cracklib strangers



Hi!

Found a strange behavour for the pam_cracklib.
Maybe this is not an issue with pam_cracklib itself, but
with pam_pwdb conversation.

The issue is that if old password (obtained by PAM_OLDAUTHTOK),
then pam_cracklib will not made some tests against it.  For example,
simple() call will not be made.

Patch to check at least simplicity of password is included.
I also noticied that there is some redundrancy in module structure, --
maybe it need some cleanup that I can do also but a bit later...

Thanks.

P.S. This is against pam 0.72 (pam-0.72-6.src.rpm from rawhide on redhat).
--- pam_cracklib.c.orig	Mon Mar 13 23:28:02 2000
+++ pam_cracklib.c	Mon Mar 13 23:37:54 2000
@@ -249,7 +249,7 @@
 /*
  * a nice mix of characters.
  */
-static int simple(struct cracklib_options *opt, const char *old, const char *new)
+static int simple(struct cracklib_options *opt, const char *new)
 {
 	int	digits = 0;
 	int	uppers = 0;
@@ -312,43 +312,41 @@
 
 static const char * password_check(struct cracklib_options *opt, const char *old, const char *new)
 {
-	const char *msg = NULL;
-	char *oldmono, *newmono, *wrapped;
-
-	if (strcmp(new, old) == 0) {
-        msg = "is the same as the old one";
-        return msg;
-    }
+	if (old) {
+		char *oldmono, *newmono, *wrapped;
+		if (strcmp(new, old) == 0)
+			return "is the same as the old one";
+
+		newmono = str_lower(x_strdup(new));
+		oldmono = str_lower(x_strdup(old));
+		wrapped = malloc(strlen(oldmono) * 2 + 1);
+		strcpy (wrapped, oldmono);
+		strcat (wrapped, oldmono);
+
+		if (palindrome(oldmono, newmono))
+			return "is a palindrome";
+
+		if (strcmp(oldmono, newmono) == 0)
+			return "case changes only";
+
+		if (similiar(opt, oldmono, newmono))
+			return "is too similiar to the old one";
+
+		if (strstr(wrapped, newmono))
+			return "is rotated";
+
+		memset(newmono, 0, strlen(newmono));
+		memset(oldmono, 0, strlen(oldmono));
+		memset(wrapped, 0, strlen(wrapped));
+		free(newmono);
+		free(oldmono);
+		free(wrapped);
+	}
 
-	newmono = str_lower(x_strdup(new));
-	oldmono = str_lower(x_strdup(old));
-	wrapped = malloc(strlen(oldmono) * 2 + 1);
-	strcpy (wrapped, oldmono);
-	strcat (wrapped, oldmono);
-
-	if (palindrome(oldmono, newmono))
-		msg = "is a palindrome";
-
-	if (!msg && strcmp(oldmono, newmono) == 0)
-		msg = "case changes only";
-
-	if (!msg && similiar(opt, oldmono, newmono))
-		msg = "is too similiar to the old one";
-
-	if (!msg && simple(opt, old, new))
-		msg = "is too simple";
-
-	if (!msg && strstr(wrapped, newmono))
-		msg = "is rotated";
-
-	memset(newmono, 0, strlen(newmono));
-	memset(oldmono, 0, strlen(oldmono));
-	memset(wrapped, 0, strlen(wrapped));
-	free(newmono);
-	free(oldmono);
-	free(wrapped);
+	if (simple(opt, new))
+		return "is too simple";
 
-	return msg;
+	return NULL;
 }
 
 
@@ -595,15 +593,13 @@
             } else {
                 /* check it for strength too... */
 		D(("for strength"));
-                if (oldtoken) {
-                    retval = _pam_unix_approve_pass(pamh,ctrl,&options,
+                retval = _pam_unix_approve_pass(pamh,ctrl,&options,
                                                oldtoken,token1);
-                    if (retval != PAM_SUCCESS) {
-                        if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
-			    retval = PAM_AUTHTOK_ERR;
-			else
-			    retval = PAM_SUCCESS;
-		    }
+                if (retval != PAM_SUCCESS) {
+                    if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+			retval = PAM_AUTHTOK_ERR;
+		    else
+			retval = PAM_SUCCESS;
                 }
             }
         }

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []