diff options
-rw-r--r-- | recipes-core/images/mlinux-factory-image.bb | 4 | ||||
-rw-r--r-- | recipes-core/images/mlinux-mtcap-image.bb | 4 | ||||
-rw-r--r-- | recipes-support/libpwquality/files/pam.configure | 13 | ||||
-rw-r--r-- | recipes-support/libpwquality/files/pwquality_conf.patch | 65 | ||||
-rw-r--r-- | recipes-support/libpwquality/libpwquality_1.3.0.bb | 53 |
5 files changed, 138 insertions, 1 deletions
diff --git a/recipes-core/images/mlinux-factory-image.bb b/recipes-core/images/mlinux-factory-image.bb index 4acd69b..55fbc37 100644 --- a/recipes-core/images/mlinux-factory-image.bb +++ b/recipes-core/images/mlinux-factory-image.bb @@ -2,6 +2,10 @@ require mlinux-base-image.bb DESCRIPTION = "mLinux factory image" +# For now we don't put this in MTR or AEP +# Password restrictions library from Redhat +IMAGE_INSTALL += "libpwquality" + LIGHTTPD = "lighttpd \ lighttpd-module-cgi lighttpd-module-indexfile \ lighttpd-module-redirect lighttpd-module-auth \ diff --git a/recipes-core/images/mlinux-mtcap-image.bb b/recipes-core/images/mlinux-mtcap-image.bb index b1b5df1..b1dd899 100644 --- a/recipes-core/images/mlinux-mtcap-image.bb +++ b/recipes-core/images/mlinux-mtcap-image.bb @@ -2,6 +2,10 @@ DESCRIPTION = "mLinux Conduit Access Point image" require mlinux-minimal-image.bb +# For now we don't put this in MTR or AEP +# Password restrictions library from Redhat +IMAGE_INSTALL += "libpwquality" + FILESYSTEM_FEATURES = "dosfstools \ cifs-utils \ lsof \ diff --git a/recipes-support/libpwquality/files/pam.configure b/recipes-support/libpwquality/files/pam.configure new file mode 100644 index 0000000..1506d4f --- /dev/null +++ b/recipes-support/libpwquality/files/pam.configure @@ -0,0 +1,13 @@ +diff -Naru orig/etc/pam.d/common-password new/etc/pam.d/common-password +--- orig/etc/pam.d/common-password 2018-04-25 10:26:55.805688250 -0500 ++++ new/etc/pam.d/common-password 2018-04-25 10:27:48.041686704 -0500 +@@ -16,7 +16,8 @@ + # See the pam_unix manpage for other options. + + # here are the per-package modules (the "Primary" block) +-password [success=1 default=ignore] pam_unix.so obscure sha512 ++password requisite pam_pwquality.so retry=3 ++password [success=1 default=ignore] pam_unix.so obscure use_authok try_frist_pass sha512 + # here's the fallback if no module succeeds + password requisite pam_deny.so + # prime the stack with a positive return value if there isn't one already; diff --git a/recipes-support/libpwquality/files/pwquality_conf.patch b/recipes-support/libpwquality/files/pwquality_conf.patch new file mode 100644 index 0000000..12074ce --- /dev/null +++ b/recipes-support/libpwquality/files/pwquality_conf.patch @@ -0,0 +1,65 @@ +diff -Naru orig/src/pwquality.conf new/src/pwquality.conf +--- orig/src/pwquality.conf 2018-04-25 09:22:11.713803238 -0500 ++++ new/src/pwquality.conf 2018-04-25 09:37:00.997776911 -0500 +@@ -1,41 +1,51 @@ ++# Original values are commented out. Minimum password length can be six ++# characters with this configuration if there is enough complexity. ++# + # Configuration for systemwide password quality limits +-# Defaults: + # + # Number of characters in the new password that must not be present in the + # old password. + # difok = 1 ++difok = 6 + # + # Minimum acceptable size for the new password (plus one if + # credits are not disabled which is the default). (See pam_cracklib manual.) + # Cannot be set to lower value than 6. + # minlen = 8 ++minlen = 10 + # + # The maximum credit for having digits in the new password. If less than 0 + # it is the minimum number of digits in the new password. + # dcredit = 0 ++dcredit = 1 + # + # The maximum credit for having uppercase characters in the new password. + # If less than 0 it is the minimum number of uppercase characters in the new + # password. + # ucredit = 0 ++ucredit = 1 + # + # The maximum credit for having lowercase characters in the new password. + # If less than 0 it is the minimum number of lowercase characters in the new + # password. + # lcredit = 0 ++lcredit = 1 + # + # The maximum credit for having other characters in the new password. + # If less than 0 it is the minimum number of other characters in the new + # password. +-# ocredit = 0 ++# lcredit = 0 ++ocredit = 1 + # + # The minimum number of required classes of characters for the new + # password (digits, uppercase, lowercase, others). + # minclass = 0 ++minclass = 3 + # + # The maximum number of allowed consecutive same characters in the new password. + # The check is disabled if the value is 0. + # maxrepeat = 0 ++maxrepeat = 2 + # + # The maximum number of allowed consecutive characters of the same class in the + # new password. +@@ -45,6 +55,7 @@ + # Whether to check for the words from the passwd entry GECOS string of the user. + # The check is enabled if the value is not 0. + # gecoscheck = 0 ++gecoscheck = 1 + # + # Path to the cracklib dictionaries. Default is to use the cracklib default. + # dictpath = diff --git a/recipes-support/libpwquality/libpwquality_1.3.0.bb b/recipes-support/libpwquality/libpwquality_1.3.0.bb index b98b57b..e5179c9 100644 --- a/recipes-support/libpwquality/libpwquality_1.3.0.bb +++ b/recipes-support/libpwquality/libpwquality_1.3.0.bb @@ -3,13 +3,17 @@ HOMEPAGE = "https://launchpad.net/libpwquality" LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=6bd2f1386df813a459a0c34fde676fc2" -SRC_URI = "https://launchpad.net/${BPN}/trunk/${PV}/+download/${BPN}-${PV}.tar.bz2" +SRC_URI = "https://launchpad.net/${BPN}/trunk/${PV}/+download/${BPN}-${PV}.tar.bz2 \ + file://pwquality_conf.patch \ + file://pam.configure \ + " SRC_URI[md5sum] = "2a3d4ba1d11b52b4f6a7f39622ebf736" SRC_URI[sha256sum] = "74d2ea90e103323c1f2d6a6cc9617cdae6877573eddb31aaf31a40f354cc2d2a" inherit autotools-brokensep pkgconfig gettext pythonnative DEPENDS = "zlib cracklib libpam python" +RDEPENDS_${PN} = "libpam-runtime" EXTRA_OECONF = " \ --with-python-binary=${PYTHON} \ @@ -32,11 +36,15 @@ do_install() { export BUILD_SYS=${BUILD_SYS} export HOST_SYS=${HOST_SYS} autotools_do_install + install -d -m755 ${D}/${datadir_native}/${PN} + install ${WORKDIR}/pam.configure ${D}/${datadir_native}/${PN} } FILES_${PN} += " \ ${base_libdir}/security/*.so \ + ${datadir_native}/ \ " +CONFFILES_${PN} += "${sysconfdir}" PACKAGE_BEFORE_PN += "${PN}-python" @@ -58,3 +66,46 @@ FILES_${PN}-dbg += "\ ${PYTHON_SITEPACKAGES_DIR}/.debug \ ${base_libdir}/security/.debug \ " + +# The postinstall installs libpwquality into PAM. +# The prerm removes libpwquatlity from PAM. +# The file we change is /etc/pam.d/common-password, +# which is a configuration file for libpam-runtime. +# We ignore failures in the post-install and pre-remove. +# so if the patch does not apply, pam will not use us. +pkg_postinst_${PN}() { + PAM_CONFIGURE="/${datadir_native}/${PN}/pam.configure" + if [[ -n $D ]] ; then + LOG='printf %s\n' + PAM_CONFIGURE="$D${PAM_CONFIGURE}" + cd $D + else + LOG="logger -s -p user.info -t opkg\ libpwquality" + cd / + fi + logsave=$(patch -p1 -N < "$PAM_CONFIGURE" 2>&1 || true) + if [[ -n ${logsave} ]] ; then + ${LOG} "In directory $(pwd)" + ${LOG} "patch -p1 -N < $PAM_CONFIGURE" + ${LOG} "${PN} patch: ${logsave}" + + fi +} + +pkg_prerm_${PN}() { + PAM_CONFIGURE="/${datadir_native}/${PN}/pam.configure" + if [[ -n $D ]] ; then + LOG='printf %s\n' + PAM_CONFIGURE="$D${PAM_CONFIGURE}" + cd $D + else + LOG="logger -s -p user.info -t opkg\ libpwquality" + cd / + fi + logsave=$(patch -p1 -R < "$PAM_CONFIGURE" 2>&1 || true) + if [[ -n ${logsave} ]] ; then + ${LOG} "In directory $(pwd)" + ${LOG} "patch -p1 -R < "$PAM_CONFIGURE"" + ${LOG} "${PN} remove patch: ${logsave}" + fi +} |