diff options
Diffstat (limited to 'src/pam_pwquality.c')
-rw-r--r-- | src/pam_pwquality.c | 33 |
1 files changed, 16 insertions, 17 deletions
diff --git a/src/pam_pwquality.c b/src/pam_pwquality.c index 9c9849d..9d210e8 100644 --- a/src/pam_pwquality.c +++ b/src/pam_pwquality.c @@ -38,9 +38,6 @@ #define PAM_DEBUG_ARG 0x0001 struct module_options { - int retry_times; - int enforce_for_root; - int local_users_only; pwquality_settings_t *pwq; }; @@ -76,15 +73,7 @@ _pam_parse (pam_handle_t *pamh, struct module_options *opt, ctrl |= PAM_DEBUG_ARG; else if (!strncmp(*argv, "type=", 5)) pam_set_item (pamh, PAM_AUTHTOK_TYPE, *argv+5); - else if (!strncmp(*argv, "retry=", 6)) { - opt->retry_times = strtol(*argv+6, &ep, 10); - if (!ep || (opt->retry_times < 1)) - opt->retry_times = CO_RETRY_TIMES; - } else if (!strncmp(*argv, "enforce_for_root", 16)) { - opt->enforce_for_root = 1; - } else if (!strncmp(*argv, "local_users_only", 16)) { - opt->local_users_only = 1; - } else if (!strncmp(*argv, "difignore=", 10)) { + else if (!strncmp(*argv, "difignore=", 10)) { /* ignored for compatibility with pam_cracklib */ } else if (!strncmp(*argv, "reject_username", 15)) { /* ignored for compatibility with pam_cracklib */ @@ -157,14 +146,19 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, { int ctrl; struct module_options options; + int retry_times = CO_RETRY_TIMES; memset(&options, 0, sizeof(options)); - options.retry_times = CO_RETRY_TIMES; ctrl = _pam_parse(pamh, &options, argc, argv); if (ctrl < 0) return PAM_BUF_ERR; + pwquality_get_int_value(options.pwq, PWQ_SETTING_RETRY_TIMES, &retry_times); + if (retry_times < 1) + retry_times = CO_RETRY_TIMES; + + if (flags & PAM_PRELIM_CHECK) { /* Check for passwd dictionary * We cannot do that, since the original path is compiled @@ -194,9 +188,10 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, } tries = 0; - while (tries < options.retry_times) { + while (tries < retry_times) { void *auxerror; const char *newtoken = NULL; + int local_users_only = 0; tries++; @@ -218,8 +213,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, pwquality_free_settings(options.pwq); return PAM_AUTHTOK_ERR; } + pwquality_get_int_value(options.pwq, PWQ_SETTING_LOCAL_USERS, &local_users_only); - if (options.local_users_only && check_local_user (pamh, user) == 0) { + if (local_users_only && check_local_user (pamh, user) == 0) { /* skip the check if a non-local user */ retval = 0; } else { @@ -231,13 +227,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, const char *msg; char buf[PWQ_MAX_ERROR_MESSAGE_LEN]; int enforcing = 1; + int enforce_for_root = 0; + msg = pwquality_strerror(buf, sizeof(buf), retval, auxerror); if (ctrl & PAM_DEBUG_ARG) pam_syslog(pamh, LOG_DEBUG, "bad password: %s", msg); pam_error(pamh, _("BAD PASSWORD: %s"), msg); pwquality_get_int_value(options.pwq, PWQ_SETTING_ENFORCING, &enforcing); + pwquality_get_int_value(options.pwq, PWQ_SETTING_ENFORCE_ROOT, &enforce_for_root); - if (enforcing && (getuid() || options.enforce_for_root || + if (enforcing && (getuid() || enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))) { pam_set_item(pamh, PAM_AUTHTOK, NULL); retval = PAM_AUTHTOK_ERR; @@ -271,7 +270,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, /* if we have only one try, we can use the real reason, * else say that there were too many tries. */ - if (options.retry_times > 1) + if (retry_times > 1) return PAM_MAXTRIES; else return PAM_AUTHTOK_ERR; |