summaryrefslogtreecommitdiff
path: root/recipes-support/libpwquality/files
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-support/libpwquality/files')
-rw-r--r--recipes-support/libpwquality/files/pam.configure13
-rw-r--r--recipes-support/libpwquality/files/pwquality_conf.patch65
2 files changed, 78 insertions, 0 deletions
diff --git a/recipes-support/libpwquality/files/pam.configure b/recipes-support/libpwquality/files/pam.configure
new file mode 100644
index 0000000..1506d4f
--- /dev/null
+++ b/recipes-support/libpwquality/files/pam.configure
@@ -0,0 +1,13 @@
+diff -Naru orig/etc/pam.d/common-password new/etc/pam.d/common-password
+--- orig/etc/pam.d/common-password 2018-04-25 10:26:55.805688250 -0500
++++ new/etc/pam.d/common-password 2018-04-25 10:27:48.041686704 -0500
+@@ -16,7 +16,8 @@
+ # See the pam_unix manpage for other options.
+
+ # here are the per-package modules (the "Primary" block)
+-password [success=1 default=ignore] pam_unix.so obscure sha512
++password requisite pam_pwquality.so retry=3
++password [success=1 default=ignore] pam_unix.so obscure use_authok try_frist_pass sha512
+ # here's the fallback if no module succeeds
+ password requisite pam_deny.so
+ # prime the stack with a positive return value if there isn't one already;
diff --git a/recipes-support/libpwquality/files/pwquality_conf.patch b/recipes-support/libpwquality/files/pwquality_conf.patch
new file mode 100644
index 0000000..12074ce
--- /dev/null
+++ b/recipes-support/libpwquality/files/pwquality_conf.patch
@@ -0,0 +1,65 @@
+diff -Naru orig/src/pwquality.conf new/src/pwquality.conf
+--- orig/src/pwquality.conf 2018-04-25 09:22:11.713803238 -0500
++++ new/src/pwquality.conf 2018-04-25 09:37:00.997776911 -0500
+@@ -1,41 +1,51 @@
++# Original values are commented out. Minimum password length can be six
++# characters with this configuration if there is enough complexity.
++#
+ # Configuration for systemwide password quality limits
+-# Defaults:
+ #
+ # Number of characters in the new password that must not be present in the
+ # old password.
+ # difok = 1
++difok = 6
+ #
+ # Minimum acceptable size for the new password (plus one if
+ # credits are not disabled which is the default). (See pam_cracklib manual.)
+ # Cannot be set to lower value than 6.
+ # minlen = 8
++minlen = 10
+ #
+ # The maximum credit for having digits in the new password. If less than 0
+ # it is the minimum number of digits in the new password.
+ # dcredit = 0
++dcredit = 1
+ #
+ # The maximum credit for having uppercase characters in the new password.
+ # If less than 0 it is the minimum number of uppercase characters in the new
+ # password.
+ # ucredit = 0
++ucredit = 1
+ #
+ # The maximum credit for having lowercase characters in the new password.
+ # If less than 0 it is the minimum number of lowercase characters in the new
+ # password.
+ # lcredit = 0
++lcredit = 1
+ #
+ # The maximum credit for having other characters in the new password.
+ # If less than 0 it is the minimum number of other characters in the new
+ # password.
+-# ocredit = 0
++# lcredit = 0
++ocredit = 1
+ #
+ # The minimum number of required classes of characters for the new
+ # password (digits, uppercase, lowercase, others).
+ # minclass = 0
++minclass = 3
+ #
+ # The maximum number of allowed consecutive same characters in the new password.
+ # The check is disabled if the value is 0.
+ # maxrepeat = 0
++maxrepeat = 2
+ #
+ # The maximum number of allowed consecutive characters of the same class in the
+ # new password.
+@@ -45,6 +55,7 @@
+ # Whether to check for the words from the passwd entry GECOS string of the user.
+ # The check is enabled if the value is not 0.
+ # gecoscheck = 0
++gecoscheck = 1
+ #
+ # Path to the cracklib dictionaries. Default is to use the cracklib default.
+ # dictpath =