summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--recipes-core/images/mlinux-factory-image.bb4
-rw-r--r--recipes-core/images/mlinux-mtcap-image.bb4
-rw-r--r--recipes-support/libpwquality/files/pam.configure13
-rw-r--r--recipes-support/libpwquality/files/pwquality_conf.patch65
-rw-r--r--recipes-support/libpwquality/libpwquality_1.3.0.bb53
5 files changed, 138 insertions, 1 deletions
diff --git a/recipes-core/images/mlinux-factory-image.bb b/recipes-core/images/mlinux-factory-image.bb
index 4acd69b..55fbc37 100644
--- a/recipes-core/images/mlinux-factory-image.bb
+++ b/recipes-core/images/mlinux-factory-image.bb
@@ -2,6 +2,10 @@
require mlinux-base-image.bb
DESCRIPTION = "mLinux factory image"
+# For now we don't put this in MTR or AEP
+# Password restrictions library from Redhat
+IMAGE_INSTALL += "libpwquality"
+
LIGHTTPD = "lighttpd \
lighttpd-module-cgi lighttpd-module-indexfile \
lighttpd-module-redirect lighttpd-module-auth \
diff --git a/recipes-core/images/mlinux-mtcap-image.bb b/recipes-core/images/mlinux-mtcap-image.bb
index b1b5df1..b1dd899 100644
--- a/recipes-core/images/mlinux-mtcap-image.bb
+++ b/recipes-core/images/mlinux-mtcap-image.bb
@@ -2,6 +2,10 @@ DESCRIPTION = "mLinux Conduit Access Point image"
require mlinux-minimal-image.bb
+# For now we don't put this in MTR or AEP
+# Password restrictions library from Redhat
+IMAGE_INSTALL += "libpwquality"
+
FILESYSTEM_FEATURES = "dosfstools \
cifs-utils \
lsof \
diff --git a/recipes-support/libpwquality/files/pam.configure b/recipes-support/libpwquality/files/pam.configure
new file mode 100644
index 0000000..1506d4f
--- /dev/null
+++ b/recipes-support/libpwquality/files/pam.configure
@@ -0,0 +1,13 @@
+diff -Naru orig/etc/pam.d/common-password new/etc/pam.d/common-password
+--- orig/etc/pam.d/common-password 2018-04-25 10:26:55.805688250 -0500
++++ new/etc/pam.d/common-password 2018-04-25 10:27:48.041686704 -0500
+@@ -16,7 +16,8 @@
+ # See the pam_unix manpage for other options.
+
+ # here are the per-package modules (the "Primary" block)
+-password [success=1 default=ignore] pam_unix.so obscure sha512
++password requisite pam_pwquality.so retry=3
++password [success=1 default=ignore] pam_unix.so obscure use_authok try_frist_pass sha512
+ # here's the fallback if no module succeeds
+ password requisite pam_deny.so
+ # prime the stack with a positive return value if there isn't one already;
diff --git a/recipes-support/libpwquality/files/pwquality_conf.patch b/recipes-support/libpwquality/files/pwquality_conf.patch
new file mode 100644
index 0000000..12074ce
--- /dev/null
+++ b/recipes-support/libpwquality/files/pwquality_conf.patch
@@ -0,0 +1,65 @@
+diff -Naru orig/src/pwquality.conf new/src/pwquality.conf
+--- orig/src/pwquality.conf 2018-04-25 09:22:11.713803238 -0500
++++ new/src/pwquality.conf 2018-04-25 09:37:00.997776911 -0500
+@@ -1,41 +1,51 @@
++# Original values are commented out. Minimum password length can be six
++# characters with this configuration if there is enough complexity.
++#
+ # Configuration for systemwide password quality limits
+-# Defaults:
+ #
+ # Number of characters in the new password that must not be present in the
+ # old password.
+ # difok = 1
++difok = 6
+ #
+ # Minimum acceptable size for the new password (plus one if
+ # credits are not disabled which is the default). (See pam_cracklib manual.)
+ # Cannot be set to lower value than 6.
+ # minlen = 8
++minlen = 10
+ #
+ # The maximum credit for having digits in the new password. If less than 0
+ # it is the minimum number of digits in the new password.
+ # dcredit = 0
++dcredit = 1
+ #
+ # The maximum credit for having uppercase characters in the new password.
+ # If less than 0 it is the minimum number of uppercase characters in the new
+ # password.
+ # ucredit = 0
++ucredit = 1
+ #
+ # The maximum credit for having lowercase characters in the new password.
+ # If less than 0 it is the minimum number of lowercase characters in the new
+ # password.
+ # lcredit = 0
++lcredit = 1
+ #
+ # The maximum credit for having other characters in the new password.
+ # If less than 0 it is the minimum number of other characters in the new
+ # password.
+-# ocredit = 0
++# lcredit = 0
++ocredit = 1
+ #
+ # The minimum number of required classes of characters for the new
+ # password (digits, uppercase, lowercase, others).
+ # minclass = 0
++minclass = 3
+ #
+ # The maximum number of allowed consecutive same characters in the new password.
+ # The check is disabled if the value is 0.
+ # maxrepeat = 0
++maxrepeat = 2
+ #
+ # The maximum number of allowed consecutive characters of the same class in the
+ # new password.
+@@ -45,6 +55,7 @@
+ # Whether to check for the words from the passwd entry GECOS string of the user.
+ # The check is enabled if the value is not 0.
+ # gecoscheck = 0
++gecoscheck = 1
+ #
+ # Path to the cracklib dictionaries. Default is to use the cracklib default.
+ # dictpath =
diff --git a/recipes-support/libpwquality/libpwquality_1.3.0.bb b/recipes-support/libpwquality/libpwquality_1.3.0.bb
index b98b57b..e5179c9 100644
--- a/recipes-support/libpwquality/libpwquality_1.3.0.bb
+++ b/recipes-support/libpwquality/libpwquality_1.3.0.bb
@@ -3,13 +3,17 @@ HOMEPAGE = "https://launchpad.net/libpwquality"
LICENSE = "GPLv2+"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bd2f1386df813a459a0c34fde676fc2"
-SRC_URI = "https://launchpad.net/${BPN}/trunk/${PV}/+download/${BPN}-${PV}.tar.bz2"
+SRC_URI = "https://launchpad.net/${BPN}/trunk/${PV}/+download/${BPN}-${PV}.tar.bz2 \
+ file://pwquality_conf.patch \
+ file://pam.configure \
+ "
SRC_URI[md5sum] = "2a3d4ba1d11b52b4f6a7f39622ebf736"
SRC_URI[sha256sum] = "74d2ea90e103323c1f2d6a6cc9617cdae6877573eddb31aaf31a40f354cc2d2a"
inherit autotools-brokensep pkgconfig gettext pythonnative
DEPENDS = "zlib cracklib libpam python"
+RDEPENDS_${PN} = "libpam-runtime"
EXTRA_OECONF = " \
--with-python-binary=${PYTHON} \
@@ -32,11 +36,15 @@ do_install() {
export BUILD_SYS=${BUILD_SYS}
export HOST_SYS=${HOST_SYS}
autotools_do_install
+ install -d -m755 ${D}/${datadir_native}/${PN}
+ install ${WORKDIR}/pam.configure ${D}/${datadir_native}/${PN}
}
FILES_${PN} += " \
${base_libdir}/security/*.so \
+ ${datadir_native}/ \
"
+CONFFILES_${PN} += "${sysconfdir}"
PACKAGE_BEFORE_PN += "${PN}-python"
@@ -58,3 +66,46 @@ FILES_${PN}-dbg += "\
${PYTHON_SITEPACKAGES_DIR}/.debug \
${base_libdir}/security/.debug \
"
+
+# The postinstall installs libpwquality into PAM.
+# The prerm removes libpwquatlity from PAM.
+# The file we change is /etc/pam.d/common-password,
+# which is a configuration file for libpam-runtime.
+# We ignore failures in the post-install and pre-remove.
+# so if the patch does not apply, pam will not use us.
+pkg_postinst_${PN}() {
+ PAM_CONFIGURE="/${datadir_native}/${PN}/pam.configure"
+ if [[ -n $D ]] ; then
+ LOG='printf %s\n'
+ PAM_CONFIGURE="$D${PAM_CONFIGURE}"
+ cd $D
+ else
+ LOG="logger -s -p user.info -t opkg\ libpwquality"
+ cd /
+ fi
+ logsave=$(patch -p1 -N < "$PAM_CONFIGURE" 2>&1 || true)
+ if [[ -n ${logsave} ]] ; then
+ ${LOG} "In directory $(pwd)"
+ ${LOG} "patch -p1 -N < $PAM_CONFIGURE"
+ ${LOG} "${PN} patch: ${logsave}"
+
+ fi
+}
+
+pkg_prerm_${PN}() {
+ PAM_CONFIGURE="/${datadir_native}/${PN}/pam.configure"
+ if [[ -n $D ]] ; then
+ LOG='printf %s\n'
+ PAM_CONFIGURE="$D${PAM_CONFIGURE}"
+ cd $D
+ else
+ LOG="logger -s -p user.info -t opkg\ libpwquality"
+ cd /
+ fi
+ logsave=$(patch -p1 -R < "$PAM_CONFIGURE" 2>&1 || true)
+ if [[ -n ${logsave} ]] ; then
+ ${LOG} "In directory $(pwd)"
+ ${LOG} "patch -p1 -R < "$PAM_CONFIGURE""
+ ${LOG} "${PN} remove patch: ${logsave}"
+ fi
+}