From 7ae7ed41ad1d32a258fd8ab2c48a0c2920f06db7 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 11 Sep 2023 14:25:48 -0600 Subject: WIP initial set of 1.5.3 patches Just an initial rebase of the patches against 1.5.3. * I'm not sure I handled pam_wheel correctly * I removed most of the generated nroff man page patches; my plan is to add a single patch at the end that includes the nroff manpage updates. --- debian/patches/007_modules_pam_unix | 570 +++++++++++++++++++----------------- 1 file changed, 294 insertions(+), 276 deletions(-) (limited to 'debian/patches/007_modules_pam_unix') diff --git a/debian/patches/007_modules_pam_unix b/debian/patches/007_modules_pam_unix index 218379c0..0158a4db 100644 --- a/debian/patches/007_modules_pam_unix +++ b/debian/patches/007_modules_pam_unix @@ -1,224 +1,84 @@ -Index: pam/modules/pam_unix/pam_unix_passwd.c +From: Sam Hartman +Date: Mon, 11 Sep 2023 14:00:42 -0600 +Subject: _modules_pam_unix + =================================================================== ---- pam.orig/modules/pam_unix/pam_unix_passwd.c -+++ pam/modules/pam_unix/pam_unix_passwd.c -@@ -95,6 +95,9 @@ - # endif /* GNU libc 2.1 */ - #endif - -+extern const char *obscure_msg(const char *, const char *, const struct passwd *, -+ unsigned int); -+ - /* - How it works: - Gets in username (has to be done) from the calling program -@@ -593,6 +596,11 @@ - return retval; - } - } -+ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ -+ struct passwd *pwd; -+ pwd = pam_modutil_getpwnam(pamh, user); -+ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ -+ } - } - if (remark) { - _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); -@@ -608,7 +616,7 @@ - int retval; - int remember = -1; - int rounds = 0; -- int pass_min_len = 0; -+ int pass_min_len = 6; +--- + modules/pam_unix/Makefile.am | 2 +- + modules/pam_unix/README | 36 ++++++- + modules/pam_unix/obscure.c | 198 +++++++++++++++++++++++++++++++++++++ + modules/pam_unix/pam_unix.8 | 33 ++++++- + modules/pam_unix/pam_unix.8.xml | 77 ++++++++++++++- + modules/pam_unix/pam_unix_passwd.c | 10 +- + modules/pam_unix/support.h | 78 ++++++++------- + 7 files changed, 389 insertions(+), 45 deletions(-) + create mode 100644 modules/pam_unix/obscure.c + +diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am +index a1dfe44..ddba63c 100644 +--- a/modules/pam_unix/Makefile.am ++++ b/modules/pam_unix/Makefile.am +@@ -43,7 +43,7 @@ noinst_PROGRAMS = bigcrypt - /* */ - const char *user; -Index: pam/modules/pam_unix/support.h -=================================================================== ---- pam.orig/modules/pam_unix/support.h -+++ pam/modules/pam_unix/support.h -@@ -101,50 +101,52 @@ - #define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */ - #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */ - #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */ -+#define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */ - /* -------------- */ --#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */ -+#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */ + pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ +- passverify.c md5_good.c md5_broken.c ++ passverify.c md5_good.c md5_broken.c obscure.c + if HAVE_NIS + pam_unix_la_SOURCES += yppasswd_xdr.c + endif +diff --git a/modules/pam_unix/README b/modules/pam_unix/README +index 67a2d21..be11095 100644 +--- a/modules/pam_unix/README ++++ b/modules/pam_unix/README +@@ -171,8 +171,40 @@ broken_shadow - #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)) + minlen=n - static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = - { --/* symbol token name ctrl mask ctrl * -- * --------------------------- -------------------- ------------------------- ---------------- */ -+/* symbol token name ctrl mask ctrl * -+ * --------------------------- -------------------- ------------------------- ------------ */ +- Set a minimum password length of n characters. The max. for DES crypt based +- passwords are 8 characters. ++ Set a minimum password length of n characters. The default value is 6. The ++ maximum for DES crypt-based passwords is 8 characters. ++ ++obscure ++ ++ Enable some extra checks on password strength. These checks are based on ++ the "obscure" checks in the original shadow package. The behavior is ++ similar to the pam_cracklib module, but for non-dictionary-based checks. ++ The following checks are implemented: ++ ++ Palindrome ++ ++ Verifies that the new password is not a palindrome of (i.e., the ++ reverse of) the previous one. ++ ++ Case Change Only ++ ++ Verifies that the new password isn't the same as the old one with a ++ change of case. ++ ++ Similar ++ ++ Verifies that the new password isn't too much like the previous one. ++ ++ Simple ++ ++ Is the new password too simple? This is based on the length of the ++ password and the number of different types of characters (alpha, ++ numeric, etc.) used. ++ ++ Rotated ++ ++ Is the new password a rotated version of the old password? (E.g., ++ "billy" and "illyb") --/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, --/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, --/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, --/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, --/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0}, --/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0}, --/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, --/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0}, --/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0}, --/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, --/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, --/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, --/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, --/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1}, --/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0}, --/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, --/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, --/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, --/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1}, --/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, --/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, --/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, --/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, --/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1}, --/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1}, --/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, --/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1}, --/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, --/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, --/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, --/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1}, --/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1}, --/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1}, --/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 020000000000, 0}, -+/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0}, -+/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0}, -+/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0}, -+/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0}, -+/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30ULL), 0x10, 0}, -+/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30ULL), 0x20, 0}, -+/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0}, -+/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180ULL), 0x80, 0}, -+/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180ULL), 0x100, 0}, -+/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, -+/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, -+/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, -+/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, -+/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x6EC22000ULL), 0x2000, 1}, -+/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200ULL), 0, 0}, -+/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0}, -+/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0}, -+/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0}, -+/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000, 1}, -+/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0}, -+/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0}, -+/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0}, -+/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0}, -+/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x6EC22000ULL), 0x400000, 1}, -+/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x6EC22000ULL), 0x800000, 1}, -+/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0}, -+/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x6EC22000ULL), 0x2000000, 1}, -+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, -+/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0}, -+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0}, -+/* UNIX_DES */ {"des", _ALL_ON_^(0x6EC22000ULL), 0, 1}, -+/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000000, 1}, -+/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1}, -+/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0}, -+/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0}, - }; + no_pass_expiry - #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) -Index: pam/modules/pam_unix/pam_unix.8.xml -=================================================================== ---- pam.orig/modules/pam_unix/pam_unix.8.xml -+++ pam/modules/pam_unix/pam_unix.8.xml -@@ -400,8 +400,81 @@ - - - Set a minimum password length of n -- characters. The max. for DES crypt based passwords are 8 -- characters. -+ characters. The default value is 6. The maximum for DES -+ crypt-based passwords is 8 characters. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Enable some extra checks on password strength. These checks -+ are based on the "obscure" checks in the original shadow -+ package. The behavior is similar to the pam_cracklib -+ module, but for non-dictionary-based checks. The following -+ checks are implemented: -+ -+ -+ -+ -+ -+ -+ -+ Verifies that the new password is not a palindrome -+ of (i.e., the reverse of) the previous one. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Verifies that the new password isn't the same as the -+ old one with a change of case. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Verifies that the new password isn't too much like -+ the previous one. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Is the new password too simple? This is based on -+ the length of the password and the number of -+ different types of characters (alpha, numeric, etc.) -+ used. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Is the new password a rotated version of the old -+ password? (E.g., "billy" and "illyb") -+ -+ -+ -+ - - - -Index: pam/modules/pam_unix/obscure.c -=================================================================== +diff --git a/modules/pam_unix/obscure.c b/modules/pam_unix/obscure.c +new file mode 100644 +index 0000000..2ffac92 --- /dev/null -+++ pam/modules/pam_unix/obscure.c ++++ b/modules/pam_unix/obscure.c @@ -0,0 +1,198 @@ +/* + * Copyright 1989 - 1994, Julianne Frances Haugh @@ -418,24 +278,11 @@ Index: pam/modules/pam_unix/obscure.c + + return msg; +} -Index: pam/modules/pam_unix/Makefile.am -=================================================================== ---- pam.orig/modules/pam_unix/Makefile.am -+++ pam/modules/pam_unix/Makefile.am -@@ -39,7 +39,7 @@ - - pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \ - pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ -- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c -+ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c - - bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c - bigcrypt_CFLAGS = $(AM_CFLAGS) -Index: pam/modules/pam_unix/pam_unix.8 -=================================================================== ---- pam.orig/modules/pam_unix/pam_unix.8 -+++ pam/modules/pam_unix/pam_unix.8 -@@ -216,7 +216,38 @@ +diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 +index 438717f..6f5f19b 100644 +--- a/modules/pam_unix/pam_unix.8 ++++ b/modules/pam_unix/pam_unix.8 +@@ -216,7 +216,38 @@ minlen=n .RS 4 Set a minimum password length of \fIn\fR @@ -474,51 +321,222 @@ Index: pam/modules/pam_unix/pam_unix.8 +.sp .RE .PP - \fBno_pass_expiry\fR -Index: pam/modules/pam_unix/README -=================================================================== ---- pam.orig/modules/pam_unix/README -+++ pam/modules/pam_unix/README -@@ -171,8 +171,40 @@ - - minlen=n + no_pass_expiry +diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml +index dfc0427..4e63a49 100644 +--- a/modules/pam_unix/pam_unix.8.xml ++++ b/modules/pam_unix/pam_unix.8.xml +@@ -397,8 +397,81 @@ + + + Set a minimum password length of n +- characters. The max. for DES crypt based passwords are 8 +- characters. ++ characters. The default value is 6. The maximum for DES ++ crypt-based passwords is 8 characters. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Enable some extra checks on password strength. These checks ++ are based on the "obscure" checks in the original shadow ++ package. The behavior is similar to the pam_cracklib ++ module, but for non-dictionary-based checks. The following ++ checks are implemented: ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password is not a palindrome ++ of (i.e., the reverse of) the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't the same as the ++ old one with a change of case. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Verifies that the new password isn't too much like ++ the previous one. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password too simple? This is based on ++ the length of the password and the number of ++ different types of characters (alpha, numeric, etc.) ++ used. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Is the new password a rotated version of the old ++ password? (E.g., "billy" and "illyb") ++ ++ ++ ++ + + + +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index c341741..652f3c5 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -86,6 +86,9 @@ extern int getrpcport(const char *host, unsigned long prognum, + # endif /* GNU libc 2.1 */ + #endif -- Set a minimum password length of n characters. The max. for DES crypt based -- passwords are 8 characters. -+ Set a minimum password length of n characters. The default value is 6. The -+ maximum for DES crypt-based passwords is 8 characters. -+ -+obscure -+ -+ Enable some extra checks on password strength. These checks are based on -+ the "obscure" checks in the original shadow package. The behavior is -+ similar to the pam_cracklib module, but for non-dictionary-based checks. -+ The following checks are implemented: -+ -+ Palindrome -+ -+ Verifies that the new password is not a palindrome of (i.e., the -+ reverse of) the previous one. -+ -+ Case Change Only -+ -+ Verifies that the new password isn't the same as the old one with a -+ change of case. -+ -+ Similar -+ -+ Verifies that the new password isn't too much like the previous one. -+ -+ Simple -+ -+ Is the new password too simple? This is based on the length of the -+ password and the number of different types of characters (alpha, -+ numeric, etc.) used. -+ -+ Rotated ++extern const char *obscure_msg(const char *, const char *, const struct passwd *, ++ unsigned int); + -+ Is the new password a rotated version of the old password? (E.g., -+ "billy" and "illyb") + /* + How it works: + Gets in username (has to be done) from the calling program +@@ -584,6 +587,11 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh + return retval; + } + } ++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */ ++ struct passwd *pwd; ++ pwd = pam_modutil_getpwnam(pamh, user); ++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */ ++ } + } + if (remark) { + _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); +@@ -599,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) + int retval; + int remember = -1; + int rounds = 0; +- int pass_min_len = 0; ++ int pass_min_len = 6; - no_pass_expiry + /* */ + const char *user; +diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h +index 8105400..91e7478 100644 +--- a/modules/pam_unix/support.h ++++ b/modules/pam_unix/support.h +@@ -101,50 +101,52 @@ typedef struct { + #define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */ + #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */ + #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */ ++#define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */ + /* -------------- */ +-#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)) + + static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + { +-/* symbol token name ctrl mask ctrl * +- * --------------------------- -------------------- ------------------------- ---------------- */ +- +-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, +-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, +-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, +-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, +-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0}, +-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0}, +-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, +-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0}, +-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, +-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, +-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, +-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1}, +-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0}, +-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, +-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, +-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, +-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1}, +-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, +-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, +-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, +-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, +-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1}, +-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1}, +-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, +-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1}, +-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, +-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, +-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, +-/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1}, +-/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1}, +-/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1}, +-/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 020000000000, 0}, ++/* symbol token name ctrl mask ctrl * ++ * --------------------------- -------------------- ------------------------- ------------ */ ++ ++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0}, ++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0}, ++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0}, ++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0}, ++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30ULL), 0x10, 0}, ++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30ULL), 0x20, 0}, ++/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0}, ++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180ULL), 0x80, 0}, ++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180ULL), 0x100, 0}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0}, ++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0}, ++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0}, ++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0}, ++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x6EC22000ULL), 0x2000, 1}, ++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200ULL), 0, 0}, ++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0}, ++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0}, ++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0}, ++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000, 1}, ++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0}, ++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0}, ++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0}, ++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0}, ++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x6EC22000ULL), 0x400000, 1}, ++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x6EC22000ULL), 0x800000, 1}, ++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0}, ++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x6EC22000ULL), 0x2000000, 1}, ++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0}, ++/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0}, ++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0}, ++/* UNIX_DES */ {"des", _ALL_ON_^(0x6EC22000ULL), 0, 1}, ++/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000000, 1}, ++/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1}, ++/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0}, ++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0}, + }; + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) -- cgit v1.2.3