diff options
Diffstat (limited to 'recipes-support/libpwquality/files')
-rw-r--r-- | recipes-support/libpwquality/files/pam.configure | 13 | ||||
-rw-r--r-- | recipes-support/libpwquality/files/pwquality_conf.patch | 65 |
2 files changed, 78 insertions, 0 deletions
diff --git a/recipes-support/libpwquality/files/pam.configure b/recipes-support/libpwquality/files/pam.configure new file mode 100644 index 0000000..1506d4f --- /dev/null +++ b/recipes-support/libpwquality/files/pam.configure @@ -0,0 +1,13 @@ +diff -Naru orig/etc/pam.d/common-password new/etc/pam.d/common-password +--- orig/etc/pam.d/common-password 2018-04-25 10:26:55.805688250 -0500 ++++ new/etc/pam.d/common-password 2018-04-25 10:27:48.041686704 -0500 +@@ -16,7 +16,8 @@ + # See the pam_unix manpage for other options. + + # here are the per-package modules (the "Primary" block) +-password [success=1 default=ignore] pam_unix.so obscure sha512 ++password requisite pam_pwquality.so retry=3 ++password [success=1 default=ignore] pam_unix.so obscure use_authok try_frist_pass sha512 + # here's the fallback if no module succeeds + password requisite pam_deny.so + # prime the stack with a positive return value if there isn't one already; diff --git a/recipes-support/libpwquality/files/pwquality_conf.patch b/recipes-support/libpwquality/files/pwquality_conf.patch new file mode 100644 index 0000000..12074ce --- /dev/null +++ b/recipes-support/libpwquality/files/pwquality_conf.patch @@ -0,0 +1,65 @@ +diff -Naru orig/src/pwquality.conf new/src/pwquality.conf +--- orig/src/pwquality.conf 2018-04-25 09:22:11.713803238 -0500 ++++ new/src/pwquality.conf 2018-04-25 09:37:00.997776911 -0500 +@@ -1,41 +1,51 @@ ++# Original values are commented out. Minimum password length can be six ++# characters with this configuration if there is enough complexity. ++# + # Configuration for systemwide password quality limits +-# Defaults: + # + # Number of characters in the new password that must not be present in the + # old password. + # difok = 1 ++difok = 6 + # + # Minimum acceptable size for the new password (plus one if + # credits are not disabled which is the default). (See pam_cracklib manual.) + # Cannot be set to lower value than 6. + # minlen = 8 ++minlen = 10 + # + # The maximum credit for having digits in the new password. If less than 0 + # it is the minimum number of digits in the new password. + # dcredit = 0 ++dcredit = 1 + # + # The maximum credit for having uppercase characters in the new password. + # If less than 0 it is the minimum number of uppercase characters in the new + # password. + # ucredit = 0 ++ucredit = 1 + # + # The maximum credit for having lowercase characters in the new password. + # If less than 0 it is the minimum number of lowercase characters in the new + # password. + # lcredit = 0 ++lcredit = 1 + # + # The maximum credit for having other characters in the new password. + # If less than 0 it is the minimum number of other characters in the new + # password. +-# ocredit = 0 ++# lcredit = 0 ++ocredit = 1 + # + # The minimum number of required classes of characters for the new + # password (digits, uppercase, lowercase, others). + # minclass = 0 ++minclass = 3 + # + # The maximum number of allowed consecutive same characters in the new password. + # The check is disabled if the value is 0. + # maxrepeat = 0 ++maxrepeat = 2 + # + # The maximum number of allowed consecutive characters of the same class in the + # new password. +@@ -45,6 +55,7 @@ + # Whether to check for the words from the passwd entry GECOS string of the user. + # The check is enabled if the value is not 0. + # gecoscheck = 0 ++gecoscheck = 1 + # + # Path to the cracklib dictionaries. Default is to use the cracklib default. + # dictpath = |