-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Howdy,
I have now uploaded this to DELAYED/7, as specified in the Debian policy[0].
debdiff attached.
[0]:
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#how-to-salvage-a-package
~Unit 193
Unit193 @ OFTC
Unit193 @ freenode
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCQAGBQJegSJCAAoJEFAB4bCao3RLsn0QAO2Q04I9Iyt+QWQ8UOfNXjJs
KDFxJyGzOqe5Hlw89evswxG2qUZ/ezM93KNaAlKzwEbYJLd8Pvqewl+PwxnEiFMs
ErQAUq7Jt6RA8i2ML5tWN6umGdTqDbEODI6VFh+Ec7YEO+hznxvHMFjYYvPXxqEE
eIBgBoc0Si1nZl/a8HSP4rqItmtm1PC2ON7Ysl7R/3O+JHL2D0o+b1vq9j+y+ab1
ON+2GNCqkZfy7fCyqchsIuhv4Zu+mPNllJOTsm6XGohQWRDrvzuS9EWIHPvdMVAO
84icTpZcTGnVZrIna8d3w+mQQMLq5bLLf2Yf1cLTq9BfwJ0tjGkjVnuw0nnsSm5P
GNb8IFs8+79Eb2Xp5elSDy01qXSpnXKPrDMlH2KvsLIPc+Op5ukzYYlGBLhvTvSN
K6aYDPNinpqq2o9tfzfvHyTKGEtsDuRmHacLZ9uMZ8QjLEj+sM+O7tjkjtay3DwW
iOYLV6kQIGKrvoJPQZduCzzprN2YFkYwz5C/ZJDuY19NLE2wD4NA2WcLoAnSXy3A
qhQqCFycNqkCVkonojrjUuahC9OURxoClfJ0lN1IwB4bim4R7vhLrfpRwkRxBzf4
SVHXYIBKc0cwneCFChZh60NtKJ4RUNdcO9AdqL9T/IQdnMcgWdPGClRNzXeEpci2
lz4o4YIMXAZATlLlxBvF
=kESX
-----END PGP SIGNATURE-----
diff -Nru passwdqc-1.3.0/concat.c passwdqc-1.4.0/concat.c
--- passwdqc-1.3.0/concat.c 2009-09-28 19:00:19.000000000 -0400
+++ passwdqc-1.4.0/concat.c 2019-12-09 18:00:54.000000000 -0500
@@ -9,11 +9,6 @@
*
* Written by Solar Designer <solar at openwall.com> and placed in the
* public domain.
- *
- * Originally written for and currently maintained as a part of popa3d,
- * a POP3 server:
- *
- * http://www.openwall.com/popa3d/
*/
#include <string.h>
@@ -27,7 +22,7 @@
va_list args;
const char *s;
char *p, *result;
- unsigned long l, m, n;
+ size_t l, m, n;
m = n = strlen(s1);
va_start(args, s1);
diff -Nru passwdqc-1.3.0/debian/changelog passwdqc-1.4.0/debian/changelog
--- passwdqc-1.3.0/debian/changelog 2013-08-29 06:08:00.000000000 -0400
+++ passwdqc-1.4.0/debian/changelog 2020-03-29 18:19:10.000000000 -0400
@@ -1,8 +1,47 @@
+passwdqc (1.4.0-1) unstable; urgency=medium
+
+ * Salvage package into Security Tools team. (Closes: #952662)
+ * Remove trailing whitespace.
+ * New upstream version 1.4.0.
+ - Drop patches applied upstream.
+ - With "non-unix", initialize the pw_dir field in fake_pw now that (since
+ passwdqc 1.1.3 in 2009) passwdqc_check.c uses that field.
+ Closes: #831356
+ - Clarified in the man pages that /etc/passwdqc.conf is not read unless
+ this suggested file location is specified with the config= option.
+ Closes: #774990
+ * d/compat, d/control:
+ - Drop d/compat in favor of debhelper-compat, bump to 12.
+ * d/control:
+ - Mark libpasswdqc-dev Architecture: any.
+ - Mark library packages Multi-Arch: same
+ - Add Samuel Henrique and myself to uploaders.
+ - Tighten libpasswdqc-dev's dependency on libpasswdqc0.
+ - Add Vcs-* fields.
+ - R³: no.
+ * d/control, d/copyright, d/watch: Use https where possible.
+ * d/copyright: Correct a couple license names.
+ * d/lib*.install: Update for multiarch locations.
+ * d/libpam-passwdqc.dirs, d/README.source: Drop.
+ * d/rules:
+ - Remove DH_OPTIONS export.
+ - Trim DEB_LDFLAGS_MAINT_APPEND to '-Wl,--as-needed'
+ - Include /usr/share/dpkg/default.mk
+ - Pack CFLAGS, CPPFLAGS and LDFLAGS into dh_auto_build. (Closes: #724278)
+ - Pack install directories into dh_auto_install.
+ * Include password-strength.txt in debian/ rather than patching it in.
+ * Update Standards-Version to 4.5.0.
+
+ [ Samuel Henrique ]
+ * Add gbp.conf
+
+ -- Unit 193 <unit...@ubuntu.com> Sun, 29 Mar 2020 18:19:10 -0400
+
passwdqc (1.3.0-1) unstable; urgency=low
* Set myself as maintainer. closes: #719106
* Update debian/watch.
- * New upstream release.
+ * New upstream release.
* Update to standards version 3.9.4. closes: #676290
* Generate symbols
@@ -71,5 +110,5 @@
pam-passwdqc (0.7-1) unstable; urgency=low
* Initial packaging for Debian (closes: #138631)
-
+
-- Tollef Fog Heen <tfh...@debian.org> Tue, 24 Sep 2002 17:15:33 +0200
diff -Nru passwdqc-1.3.0/debian/compat passwdqc-1.4.0/debian/compat
--- passwdqc-1.3.0/debian/compat 2013-08-09 21:17:16.000000000 -0400
+++ passwdqc-1.4.0/debian/compat 1969-12-31 19:00:00.000000000 -0500
@@ -1 +0,0 @@
-9
diff -Nru passwdqc-1.3.0/debian/control passwdqc-1.4.0/debian/control
--- passwdqc-1.3.0/debian/control 2013-08-09 22:45:39.000000000 -0400
+++ passwdqc-1.4.0/debian/control 2020-03-24 03:14:14.000000000 -0400
@@ -1,10 +1,15 @@
Source: passwdqc
Section: admin
Priority: optional
-Maintainer: Jackson Doak <nosk...@ubuntu.com>
-Build-Depends: debhelper (>= 9), libpam-dev
-Standards-Version: 3.9.4
-Homepage: http://www.openwall.com/passwdqc/
+Maintainer: Debian Security Tools <team+pkg-secur...@tracker.debian.org>
+Uploaders: Samuel Henrique <samuel...@debian.org>,
+ Unit 193 <unit...@ubuntu.com>
+Build-Depends: debhelper-compat (= 12), libpam-dev
+Rules-Requires-Root: no
+Standards-Version: 4.5.0
+Homepage: https://www.openwall.com/passwdqc/
+Vcs-Browser: https://salsa.debian.org/pkg-security-team/passwdqc
+Vcs-Git: https://salsa.debian.org/pkg-security-team/passwdqc.git
Package: passwdqc
Architecture: any
@@ -21,6 +26,7 @@
Package: libpasswdqc0
Section: libs
Architecture: any
+Multi-Arch: same
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: password strength checking and policy enforcement library
passwdqc is a password/passphrase strength checking and policy enforcement
@@ -32,29 +38,30 @@
Package: libpasswdqc-dev
Section: libdevel
-Architecture: all
-Depends: ${shlibs:Depends}, ${misc:Depends},
- libpasswdqc0 (>= ${binary:Version}), libpasswdqc0 (<<
${source:Upstream-Version}.1~),
+Architecture: any
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}, libpasswdqc0 (= ${binary:Version})
Description: password checking and policy enforcement library (devel)
- (C development files) passwdqc is a password/passphrase strength
- checking and policy enforcement toolset, including a PAM module
- (libpam-passwdqc), command-line programs (pwqcheck and pwqgen), and a
+ (C development files) passwdqc is a password/passphrase strength
+ checking and policy enforcement toolset, including a PAM module
+ (libpam-passwdqc), command-line programs (pwqcheck and pwqgen), and a
library (libpasswdqc0).
.
- This package provides the development libraries and header files
+ This package provides the development libraries and header files
required to build tools using the libpasswdqc library.
Package: libpam-passwdqc
Architecture: any
+Multi-Arch: same
Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 1.0.1-6)
Recommends: passwdqc
Description: PAM module for password strength policy enforcement
- passwdqc is a password/passphrase strength checking and policy
- enforcement toolset, including a PAM module (libpam-passwdqc),
+ passwdqc is a password/passphrase strength checking and policy
+ enforcement toolset, including a PAM module (libpam-passwdqc),
command-line programs (pwqcheck and pwqgen), and a library (libpasswdqc0).
.
- pam_passwdqc (optionally) integrates with PAM such that it gets invoked
- when users change their passwords. The module is capable of checking
- password or passphrase strength, enforcing a policy, and offering
- randomly-generated passphrases, with all of these features being
+ pam_passwdqc (optionally) integrates with PAM such that it gets invoked
+ when users change their passwords. The module is capable of checking
+ password or passphrase strength, enforcing a policy, and offering
+ randomly-generated passphrases, with all of these features being
optional and easily (re-)configurable.
diff -Nru passwdqc-1.3.0/debian/copyright passwdqc-1.4.0/debian/copyright
--- passwdqc-1.3.0/debian/copyright 2013-08-10 03:01:10.000000000 -0400
+++ passwdqc-1.4.0/debian/copyright 2019-04-10 17:47:12.000000000 -0400
@@ -1,6 +1,6 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: passwdqc
-Source: http://www.openwall.com/passwdqc/
+Source: https://www.openwall.com/passwdqc/
Files: *
Copyright: 2000-2013, Solar Designer <so...@openwall.com>
@@ -11,17 +11,17 @@
Copyright: 2001, Networks Associates Technology, Inc.
2009, Dmitry V. Levin
2009 Solar Designer
-License: BSD
+License: BSD-3-Clause
Files: passwdqc.conf.5
Copyright: 2000-2003,2005,2008, Solar Designer
2001, Networks Associates Technology, Inc.
2009, Dmitry V. Levin
-License: BSD
+License: BSD-3-Clause
Files: concat.c wordset_4k.c wordset_4k.h pam_macros.h
Copyright: 2009, Solar Designer <so...@openwall.com>
-License: Public Domain
+License: public-domain
No license required for any purpose; the work is not subject to
copyright in any jurisdiction.
@@ -43,7 +43,7 @@
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>
+ along with this program. If not, see <https://www.gnu.org/licenses/>
.
On Debian systems, the complete text of the GNU General
Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
@@ -62,8 +62,8 @@
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-License: BSD
+
+License: BSD-3-Clause
Portions of this software were developed for the FreeBSD Project by
ThinkSec AS and NAI Labs, the Security Research Division of Network
Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
diff -Nru passwdqc-1.3.0/debian/gbp.conf passwdqc-1.4.0/debian/gbp.conf
--- passwdqc-1.3.0/debian/gbp.conf 1969-12-31 19:00:00.000000000 -0500
+++ passwdqc-1.4.0/debian/gbp.conf 2020-03-29 18:15:36.000000000 -0400
@@ -0,0 +1,15 @@
+[DEFAULT]
+debian-branch = debian/master
+pristine-tar = True
+
+[buildpackage]
+sign-tags = True
+
+[import-orig]
+filter-pristine-tar = True
+
+[pq]
+patch-numbers = False
+
+[dch]
+multimaint-merge = True
diff -Nru passwdqc-1.3.0/debian/libpam-passwdqc.dirs
passwdqc-1.4.0/debian/libpam-passwdqc.dirs
--- passwdqc-1.3.0/debian/libpam-passwdqc.dirs 2010-03-16 10:27:55.000000000
-0400
+++ passwdqc-1.4.0/debian/libpam-passwdqc.dirs 1969-12-31 19:00:00.000000000
-0500
@@ -1 +0,0 @@
-usr/share/pam-configs
diff -Nru passwdqc-1.3.0/debian/libpam-passwdqc.docs
passwdqc-1.4.0/debian/libpam-passwdqc.docs
--- passwdqc-1.3.0/debian/libpam-passwdqc.docs 2013-08-09 21:46:22.000000000
-0400
+++ passwdqc-1.4.0/debian/libpam-passwdqc.docs 2019-04-15 18:14:27.000000000
-0400
@@ -1,2 +1,2 @@
README
-password-strength.txt
+debian/password-strength.txt
diff -Nru passwdqc-1.3.0/debian/libpam-passwdqc.install
passwdqc-1.4.0/debian/libpam-passwdqc.install
--- passwdqc-1.3.0/debian/libpam-passwdqc.install 2010-03-16
10:27:55.000000000 -0400
+++ passwdqc-1.4.0/debian/libpam-passwdqc.install 2020-03-24
03:05:10.000000000 -0400
@@ -1,3 +1,3 @@
-lib/security/pam_passwdqc.so
+lib/*/security/pam_passwdqc.so
usr/share/man/man8
debian/pam-configs/passwdqc usr/share/pam-configs
diff -Nru passwdqc-1.3.0/debian/libpasswdqc0.install
passwdqc-1.4.0/debian/libpasswdqc0.install
--- passwdqc-1.3.0/debian/libpasswdqc0.install 2010-03-16 10:27:55.000000000
-0400
+++ passwdqc-1.4.0/debian/libpasswdqc0.install 2019-04-15 18:14:27.000000000
-0400
@@ -1 +1 @@
-lib/*.so*
+usr/lib/*/*.so.*
diff -Nru passwdqc-1.3.0/debian/libpasswdqc-dev.install
passwdqc-1.4.0/debian/libpasswdqc-dev.install
--- passwdqc-1.3.0/debian/libpasswdqc-dev.install 2010-03-16
10:27:55.000000000 -0400
+++ passwdqc-1.4.0/debian/libpasswdqc-dev.install 2019-04-15
18:14:27.000000000 -0400
@@ -1,2 +1,2 @@
usr/include
-usr/lib/*.so
+usr/lib/*/*.so
diff -Nru passwdqc-1.3.0/debian/password-strength.txt
passwdqc-1.4.0/debian/password-strength.txt
--- passwdqc-1.3.0/debian/password-strength.txt 1969-12-31 19:00:00.000000000
-0500
+++ passwdqc-1.4.0/debian/password-strength.txt 2019-04-15 18:14:27.000000000
-0400
@@ -0,0 +1,66 @@
+## From https://openwall.info/wiki/passwdqc/policy
+# 2011.02.20.1951
+#
+Password strength policy considerations
+
+Many system administrators are tempted to relax passwdqc's default policy
+settings in order to make it easier for the users to choose and remember
+passwords that would pass the policy. Unfortunately, this very likely results
+in unacceptably weak passwords being allowed. The following (revised) excerpt
+from an e-mail exchange between a user of passwdqc (a system administrator) and
+Solar Designer (the original author and a maintainer of passwdqc) explains some
+of these issues.
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+ I appreciate what passwdqc is, but I think that the default minima are too
+ restrictive […] If the system enforced too restrictive passwords, users are
+ forced to write them down on paper.
+
+This is not necessarily such a bad thing. It depends on what threats we
+primarily protect against. Off the top of my head, I can identify the following
+relevant threat classes:
+
+ 1. Offline attacks against stolen/leaked password hashes.
+ 2. Online attacks against remote systems. (Also similar attacks against
+ not-so-remote systems in some cases.)
+ 3. Leaks of plaintext passwords from the users.
+
+Your concern above is about #3, whereas #1 and #2 are mitigated. If we make the
+password policy less restrictive, we'll be a lot more vulnerable to #1 while
+maybe avoiding #3 in some cases. Please note that with #1, the attack is
+usually system-wide (a certain large percentage of accounts may get compromised
+- say, 20% - and this would be difficult to recover from on a large system).
+For comparison, with #3 the attack is per-person, so a much smaller percentage
+of accounts gets compromised. Also, in some cases it's about “formal”
+responsibility - for #1 it is the system admins', for #3 it is the specific
+user's (even if the system admins were “at fault” for enforcing “too strict” a
+policy).
+
+Also, you might be over-estimating the difficulty of memorizing passphrases
+that pass the default requirements of passwdqc. I have lots of those memorized.
+
+ Over the last years, I have thus used the following settings:
+
+ min=disabled,12,8,6,5 enforce=users
+
+These might protect against #2 (although length 5 feels too low even for remote
+attacks), but definitely not against #1. I'd call these unreasonable for most
+systems and typical threat models (based on my experience).
+
+ while the defaults are
+
+ min=disabled,24,11,8,7 enforce=everyone
+
+ While the enforce option is surely a policy decision, I would like to hear
+ your opinion on the minima strengths. I think that the ones you chose are
+ possibly a bit too strong.
+
+passwdqc's default requirements are about the minimum needed to mitigate
+not-too-powerful offline attacks.
+
+I see no way to relax the requirements yet have much protection against offline
+attacks, which are a primary concern for systems with large numbers of users
+(because of the time for and cost of recovery from a compromise).
+
+passwdqc/policy.txt · Last modified: 2011/02/20 19:51 by solar
diff -Nru passwdqc-1.3.0/debian/patches/01-manpage-fixes
passwdqc-1.4.0/debian/patches/01-manpage-fixes
--- passwdqc-1.3.0/debian/patches/01-manpage-fixes 2013-08-10
02:55:46.000000000 -0400
+++ passwdqc-1.4.0/debian/patches/01-manpage-fixes 1969-12-31
19:00:00.000000000 -0500
@@ -1,16 +0,0 @@
-Description: Fixes minor glitches in the manpages
-Author: Jackson Doak <nosk...@ubuntu.com>
-
-Index: passwdqc-1.3.0/pwqcheck.1
-===================================================================
---- passwdqc-1.3.0.orig/pwqcheck.1 2013-08-10 16:55:41.127266666 +1000
-+++ passwdqc-1.3.0/pwqcheck.1 2013-08-10 16:55:41.127266666 +1000
-@@ -160,7 +160,7 @@
- This is needed to use
- .Nm
- as the passwordcheck program on OpenBSD - e.g., with
--":passwordcheck=/usr/bin/pwqcheck -1:\\"
-+":passwordcheck=/usr/bin/pwqcheck \-1:\\"
- in the "default" section in
- .Cm /etc/login.conf .
- .It Cm -2
diff -Nru passwdqc-1.3.0/debian/patches/99-docs-password-strength.patch
passwdqc-1.4.0/debian/patches/99-docs-password-strength.patch
--- passwdqc-1.3.0/debian/patches/99-docs-password-strength.patch
2013-08-09 22:00:03.000000000 -0400
+++ passwdqc-1.4.0/debian/patches/99-docs-password-strength.patch
1969-12-31 19:00:00.000000000 -0500
@@ -1,73 +0,0 @@
-# This patch adds addition information about password safety
-
-Index: passwdqc-1.3.0/password-strength.txt
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ passwdqc-1.3.0/password-strength.txt 2013-08-10 11:34:22.154720531
+1000
-@@ -0,0 +1,66 @@
-+## From http://openwall.info/wiki/passwdqc/policy
-+# 2010.03.15.1510
-+#
-+Password strength policy considerations
-+
-+Many system administrators are tempted to relax passwdqc's default policy
-+settings in order to make it easier for the users to choose and remember
-+passwords that would pass the policy. Unfortunately, this very likely results
-+in unacceptably weak passwords being allowed. The following excerpt from an
-+e-mail exchange between a user of passwdqc (a system administrator) and Solar
-+Designer (the original author and a maintainer of passwdqc) explains some of
-+these issues.
-+
-+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-+
-+ I appreciate what passwdqc is, but I think that the default minima are too
-+ restrictive […] If the system enforced too restrictive passwords, users
are
-+ forced to write them down on paper.
-+
-+This is not necessarily such a bad thing. It depends on what threats we
-+primarily protect against. Off the top of my head, I can identify the
following
-+relevant threat classes:
-+
-+ 1. Offline attacks against stolen/leaked password hashes.
-+ 2. Online attacks against remote systems. (Also similar attacks against
-+ not-so-remote systems in some cases.)
-+ 3. Leaks of plaintext passwords from the users.
-+
-+Your concern above is about #3, whereas #1 and #2 are avoided. If we make the
-+password policy less restrictive, we'll be a lot more vulnerable to #1 while
-+maybe avoiding #3 in some cases. Please note that with #1, the attack is
-+usually system-wide (a certain large percentage of accounts may get
compromised
-+- say, 20% - and this would be difficult to recover from on a large system).
-+For comparison, with #3 the attack is per-person, so a much smaller percentage
-+of accounts gets compromised. Also, in some cases it's about “formal”
-+responsibility - for #1 it is the system admins', for #3 it is the specific
-+user's (even if the system admins were “at fault” for enforcing “too strict” a
-+policy).
-+
-+Also, you might be over-estimating the difficulty of memorizing passphrases
-+that pass the default requirements of passwdqc. I have lots of those
memorized.
-+
-+ Over the last years, I have thus used the following settings:
-+
-+ min=disabled,12,8,6,5 enforce=users
-+
-+These might protect against #2 (although length 5 feels too low even for
remote
-+attacks), but definitely not against #1. I'd call these unreasonable for most
-+systems and typical threat models (based on my experience).
-+
-+ while the defaults are
-+
-+ min=disabled,24,11,8,7 enforce=everyone
-+
-+ While the enforce option is surely a policy decision, I would like to hear
-+ your opinion on the minima strengths. I think that the ones you chose are
-+ possibly a bit too strong.
-+
-+passwdqc's default requirements are about the minimum needed to prevent
-+not-too-powerful offline attacks.
-+
-+I see no way to relax the requirements yet have much protection against
offline
-+attacks, which are a primary concern for systems with large numbers of users
-+(because of the cost of recovery from a compromise).
-+
-+passwdqc/policy.txt · Last modified: 2010/03/15 20:32 by solar
diff -Nru passwdqc-1.3.0/debian/patches/series
passwdqc-1.4.0/debian/patches/series
--- passwdqc-1.3.0/debian/patches/series 2013-08-10 02:53:33.000000000
-0400
+++ passwdqc-1.4.0/debian/patches/series 1969-12-31 19:00:00.000000000
-0500
@@ -1,2 +0,0 @@
-01-manpage-fixes
-99-docs-password-strength.patch
diff -Nru passwdqc-1.3.0/debian/README.source
passwdqc-1.4.0/debian/README.source
--- passwdqc-1.3.0/debian/README.source 2010-03-16 10:27:55.000000000 -0400
+++ passwdqc-1.4.0/debian/README.source 1969-12-31 19:00:00.000000000 -0500
@@ -1,18 +0,0 @@
-Building passwdqc for Debian
-----------------------------
-
-The passwdqc source package uses quilt to apply and remove its patches. Please
-refer to /usr/share/doc/quilt/README.source for information about how to use
-quilt for source packages.
-
-The quilt series is generated from the Git repository, using TopGit.
-This process is documented in /usr/share/doc/topgit/HOWTO-tg2quilt.gz .
-
-The pam-passwdqc packages uses the following branch layout:
-
- fixes/* patches destined to go upstream
- contrib/* contributed content
- contrib/docs/* additional documentation
- debian/* debian-specific changes
-
- -- martin f. krafft <madd...@debian.org> Thu, 28 Jan 2010 14:22:40 +1300
diff -Nru passwdqc-1.3.0/debian/rules passwdqc-1.4.0/debian/rules
--- passwdqc-1.3.0/debian/rules 2013-08-29 16:59:46.000000000 -0400
+++ passwdqc-1.4.0/debian/rules 2019-04-15 18:14:27.000000000 -0400
@@ -3,11 +3,17 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
-# This has to be exported to make some magic below work.
-export DH_OPTIONS
+include /usr/share/dpkg/default.mk
-export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,relro
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+LIBDIR = /usr/lib/$(DEB_HOST_MULTIARCH)
%:
- dh $@
+ dh $@
+
+override_dh_auto_build:
+ dh_auto_build -- CFLAGS="-Wall -W $(CFLAGS) $(CPPFLAGS)"
LDFLAGS="$(LDFLAGS)" LDFLAGS_shared_LINUX="--shared $(LDFLAGS)"
+
+override_dh_auto_install:
+ dh_auto_install -- SHARED_LIBDIR="$(LIBDIR)" SHARED_LIBDIR_REL="."
DEVEL_LIBDIR="$(LIBDIR)" SECUREDIR="/lib/$(DEB_HOST_MULTIARCH)/security"
diff -Nru passwdqc-1.3.0/debian/watch passwdqc-1.4.0/debian/watch
--- passwdqc-1.3.0/debian/watch 2013-08-09 21:12:54.000000000 -0400
+++ passwdqc-1.4.0/debian/watch 2019-04-10 17:46:19.000000000 -0400
@@ -1,3 +1,3 @@
version=3
opts=uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha|b|a)[\-\.]?\d*)$/$1~$2/,dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//
\
-http://www.openwall.com/passwdqc/
(?:.*/)?passwdqc[_\-\.]?(\d\S*)\.(?:tgz|tbz2|txz|tar\.(?:gz|bz2|xz))
+https://www.openwall.com/passwdqc/
(?:.*/)?passwdqc[_\-\.]?(\d\S*)\.(?:tgz|tbz2|txz|tar\.(?:gz|bz2|xz))
diff -Nru passwdqc-1.3.0/INSTALL passwdqc-1.4.0/INSTALL
--- passwdqc-1.3.0/INSTALL 2013-04-23 22:02:54.000000000 -0400
+++ passwdqc-1.4.0/INSTALL 2019-12-25 12:09:02.000000000 -0500
@@ -10,6 +10,15 @@
and two command-line programs) by simply running "make". To install,
run "make install". To uninstall, run "make uninstall".
+On a system with the PAM framework built with i18n support enabled
+you may also build pam_passwdqc with i18n support by adding
+-DENABLE_NLS=1 to CPPFLAGS. To compile translation files, run
+"make locales". To install them, run "make install_locales".
+
+On a system with the PAM framework built with Linux audit support
+enabled you may also build pam_passwdqc with audit support by adding
+-DHAVE_LIBAUDIT=1 to CPPFLAGS.
+
On a system without PAM, you may build everything but the PAM module
with "make utils". To install, run "make install_lib install_utils".
To uninstall, run "make remove_lib remove_utils".
@@ -26,8 +35,8 @@
Alternatively, on a Red Hat'ish Linux system and under an account
configured to build RPM packages (perhaps with ~/.rpmmacros specifying
the proper pathnames for %_topdir, %_tmppath, and %buildroot), you may
-build RPM packages by running "rpmbuild -tb passwdqc-1.3.0.tar.gz", then
-install the two binary subpackages with "rpm -Uvh passwdqc*-1.3.0*.rpm".
+build RPM packages by running "rpmbuild -tb passwdqc-1.4.0.tar.gz", then
+install the two binary subpackages with "rpm -Uvh passwdqc*-1.4.0*.rpm".
This works due to the RPM spec file included in the tarball.
Please refer to README and PLATFORMS for information on configuring your
@@ -37,4 +46,4 @@
Please refer to the pwqcheck(1) and pwqgen(1) manual pages for
information on using the command-line programs.
-$Owl: Owl/packages/passwdqc/passwdqc/INSTALL,v 1.8 2013/04/24 02:02:54 solar
Exp $
+$Owl: Owl/packages/passwdqc/passwdqc/INSTALL,v 1.12 2019/12/25 11:42:06 ldv
Exp $
diff -Nru passwdqc-1.3.0/libpasswdqc.map passwdqc-1.4.0/libpasswdqc.map
--- passwdqc-1.3.0/libpasswdqc.map 2009-10-09 18:09:33.000000000 -0400
+++ passwdqc-1.4.0/libpasswdqc.map 2016-07-21 08:22:55.000000000 -0400
@@ -1,4 +1,4 @@
-# $Owl: Owl/packages/passwdqc/passwdqc/libpasswdqc.map,v 1.2 2009/10/09
22:09:33 solar Exp $
+# $Owl: Owl/packages/passwdqc/passwdqc/libpasswdqc.map,v 1.4 2016/07/21
01:01:59 ldv Exp $
{
global:
diff -Nru passwdqc-1.3.0/Makefile passwdqc-1.4.0/Makefile
--- passwdqc-1.3.0/Makefile 2012-08-18 18:24:09.000000000 -0400
+++ passwdqc-1.4.0/Makefile 2019-12-18 13:06:30.000000000 -0500
@@ -1,9 +1,11 @@
#
# Copyright (c) 2000-2003,2005,2009,2010 by Solar Designer
-# Copyright (c) 2008,2009 by Dmitry V. Levin
+# Copyright (c) 2008,2009,2017 by Dmitry V. Levin
+# Copyright (c) 2017 by Oleg Solovyov
# See LICENSE
#
+PACKAGE = passwdqc
TITLE = pam_passwdqc
SHARED_LIB = libpasswdqc.so.0
DEVEL_LIB = libpasswdqc.so
@@ -34,6 +36,10 @@
INCLUDEDIR = /usr/include
MANDIR = /usr/share/man
DESTDIR =
+LOCALEDIR = /usr/share/locale
+LOCALEMODE = 644
+
+LANGUAGES = ru
CC = gcc
LD = $(CC)
@@ -47,6 +53,11 @@
CFLAGS = -Wall -W -O2
CFLAGS_lib = $(CFLAGS) -fPIC
CFLAGS_bin = $(CFLAGS) -fomit-frame-pointer
+CPPFLAGS = -DPACKAGE=\\\"$(PACKAGE)\\\"
+MSGFMT = msgfmt
+XGETTEXT = xgettext
+XGETTEXT_OPTS = --keyword=_ --keyword=P2_:1,1 --keyword=P3_:1,2 --language=C
--add-comments
+MSGMERGE = msgmerge
LDFLAGS =
LDFLAGS_shared = --shared
@@ -85,21 +96,21 @@
CONFIGS = passwdqc.conf
BINS = pwqgen pwqcheck
PROJ = $(SHARED_LIB) $(DEVEL_LIB) $(SHARED_PAM) $(BINS)
-OBJS_LIB = concat.o passwdqc_check.o passwdqc_load.o passwdqc_parse.o
passwdqc_random.o wordset_4k.o
-OBJS_PAM = pam_passwdqc.o
-OBJS_GEN = pwqgen.o
-OBJS_CHECK = pwqcheck.o
+OBJS_LIB = concat.o passwdqc_check.o passwdqc_load.o passwdqc_memzero.o
passwdqc_parse.o passwdqc_random.o wordset_4k.o
+OBJS_PAM = pam_passwdqc.o passwdqc_memzero.o
+OBJS_GEN = pwqgen.o passwdqc_memzero.o
+OBJS_CHECK = pwqcheck.o passwdqc_memzero.o
default: all
-all pam utils install install_lib install_pam install_utils uninstall remove
remove_lib remove_pam remove_utils:
+all locales pam utils install install_lib install_locales install_pam
install_utils uninstall remove remove_lib remove_locales remove_pam
remove_utils:
case "`uname -s`" in \
- Linux) $(MAKE) CFLAGS_lib="$(CFLAGS_lib) -DHAVE_SHADOW" \
+ Linux) $(MAKE) CFLAGS_lib="$(CFLAGS_lib) $(CPPFLAGS) -DHAVE_SHADOW" \
LDFLAGS_lib="$(LDFLAGS_lib_LINUX)" \
LDFLAGS_pam="$(LDFLAGS_pam_LINUX)" \
LDLIBS_pam="$(LDLIBS_pam_LINUX)" \
$@_wrapped;; \
- SunOS) $(MAKE) -e CFLAGS_lib="$(CFLAGS_lib) -DHAVE_SHADOW" \
+ SunOS) $(MAKE) -e CFLAGS_lib="$(CFLAGS_lib) $(CPPFLAGS) -DHAVE_SHADOW"
\
LD_lib=ld \
LDFLAGS_lib="$(LDFLAGS_lib_SUN)" \
LDFLAGS_pam="$(LDFLAGS_pam_SUN)" \
@@ -108,7 +119,7 @@
SHARED_LIBDIR="$(SHARED_LIBDIR_SUN)" \
SECUREDIR="$(SECUREDIR_SUN)" \
$@_wrapped;; \
- HP-UX) $(MAKE) CFLAGS_lib="$(CFLAGS_lib) -DHAVE_SHADOW" \
+ HP-UX) $(MAKE) CFLAGS_lib="$(CFLAGS_lib) $(CPPFLAGS) -DHAVE_SHADOW" \
LD_lib=ld \
LDFLAGS_lib="$(LDFLAGS_lib_HP)" \
LDFLAGS_pam="$(LDFLAGS_pam_HP)" \
@@ -195,7 +206,38 @@
$(MKDIR) $(DESTDIR)$(MANDIR)/man8
$(INSTALL) -m $(MANMODE) $(MAN8) $(DESTDIR)$(MANDIR)/man8/
-uninstall_wrapped remove_wrapped: remove_pam_wrapped remove_utils_wrapped
remove_lib_wrapped
+POFILES = $(LANGUAGES:%=po/%.po)
+MOFILES = $(LANGUAGES:%=po/%.mo)
+POTFILE_DEPS = pam_passwdqc.c passwdqc_check.c
+POTFILE = po/$(PACKAGE).pot
+
+$(POTFILE): $(POTFILE_DEPS)
+ $(XGETTEXT) $(XGETTEXT_OPTS) -o $@-t $^ && mv $@-t $@
+
+$(POFILES): $(POTFILE)
+ $(MSGMERGE) -U $@ $<
+
+.SUFFIXES: .po .mo
+
+.po.mo:
+ $(MSGFMT) -c -o $@-t $< && mv $@-t $@
+
+update_pot: $(POTFILE)
+
+update_po: $(POFILES)
+
+update_mo: $(MOFILES)
+
+locales_wrapped: update_mo
+
+install_locales_wrapped:
+ for lang in $(LANGUAGES); do \
+ $(MKDIR) $(DESTDIR)$(LOCALEDIR)/$$lang/LC_MESSAGES && \
+ $(INSTALL) -m $(LOCALEMODE) po/$$lang.mo \
+ $(DESTDIR)$(LOCALEDIR)/$$lang/LC_MESSAGES/$(PACKAGE).mo
|| exit; \
+ done
+
+uninstall_wrapped remove_wrapped: remove_pam_wrapped remove_utils_wrapped
remove_lib_wrapped remove_locales_wrapped
remove_pam_wrapped:
$(RM) $(DESTDIR)$(MANDIR)/man8/$(MAN8)
@@ -212,13 +254,18 @@
for f in $(SHARED_LIB); do $(RM) $(DESTDIR)$(SHARED_LIBDIR)/$$f; done
for f in $(CONFIGS); do $(RM) $(DESTDIR)$(CONFDIR)/$$f; done
+remove_locales_wrapped:
+ for f in $(LANGUAGES); do $(RM)
$(DESTDIR)$(LOCALEDIR)/$$f/LC_MESSAGES/$(PACKAGE).mo; done
+
clean:
- $(RM) $(PROJ) *.o
+ $(RM) $(PROJ) $(MOFILES) *.o
-.PHONY: all all_wrapped clean install install_lib install_pam install_utils \
+.PHONY: all all_wrapped clean install install_lib install_locales install_pam
install_utils \
pam pam_wrapped uninstall remove remove_lib remove_pam remove_utils \
utils utils_wrapped \
- install_wrapped install_lib_wrapped install_pam_wrapped \
+ update_mo update_po update_pot \
+ locales locales_wrapped \
+ install_wrapped install_lib_wrapped install_locales_wrapped
install_pam_wrapped \
install_utils_wrapped \
- remove_wrapped remove_lib_wrapped remove_pam_wrapped \
+ remove_wrapped remove_lib_wrapped remove_locales_wrapped
remove_pam_wrapped \
remove_utils_wrapped
diff -Nru passwdqc-1.3.0/pam_passwdqc.8 passwdqc-1.4.0/pam_passwdqc.8
--- passwdqc-1.3.0/pam_passwdqc.8 2010-03-13 01:51:46.000000000 -0500
+++ passwdqc-1.4.0/pam_passwdqc.8 2019-12-09 18:29:52.000000000 -0500
@@ -2,7 +2,7 @@
.\" All rights reserved.
.\" Copyright (c) 2009 Dmitry V. Levin
.\" All rights reserved.
-.\" Copyright (c) 2009 Solar Designer
+.\" Copyright (c) 2009,2019 Solar Designer
.\" All rights reserved.
.\"
.\" Portions of this software were developed for the FreeBSD Project by
@@ -35,9 +35,9 @@
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libpam/modules/pam_passwdqc/pam_passwdqc.8,v 1.4
2002/05/30 14:49:57 ru Exp $
-.\" $Owl: Owl/packages/passwdqc/passwdqc/pam_passwdqc.8,v 1.15 2010/03/13
06:51:46 solar Exp $
+.\" $Owl: Owl/packages/passwdqc/passwdqc/pam_passwdqc.8,v 1.17 2019/12/09
23:29:52 solar Exp $
.\"
-.Dd March 13, 2010
+.Dd December 9, 2019
.Dt PAM_PASSWDQC 8
.Os "Openwall Project"
.Sh NAME
@@ -75,16 +75,19 @@
.Dv PAM_AUTHTOK_ERR .
.Pp
The set of options that may be passed to the module is exactly the
-same as the set of options that may be specified in the
-.Pa /etc/passwdqc.conf
-file. These options are described in
+same as the set of options that may be specified in the configuration
+file (suggested location
+.Pa /etc/passwdqc.conf ,
+to be specified in the
+.Cm config=/etc/passwdqc.conf
+option). These options are described in
.Xr passwdqc.conf 5 .
.Sh SEE ALSO
.Xr pam.conf 5 ,
.Xr passwdqc.conf 5 ,
.Xr pam 8 .
.Pp
-http://www.openwall.com/passwdqc/
+https://www.openwall.com/passwdqc/
.Sh AUTHORS
The
.Nm
diff -Nru passwdqc-1.3.0/pam_passwdqc.c passwdqc-1.4.0/pam_passwdqc.c
--- passwdqc-1.3.0/pam_passwdqc.c 2012-08-18 18:24:09.000000000 -0400
+++ passwdqc-1.4.0/pam_passwdqc.c 2019-12-18 13:06:30.000000000 -0500
@@ -1,5 +1,8 @@
/*
- * Copyright (c) 2000-2003,2005,2012 by Solar Designer. See LICENSE.
+ * Copyright (c) 2000-2003,2005,2012,2016,2019 by Solar Designer.
+ * Copyright (c) 2017,2018 by Dmitry V. Levin
+ * Copyright (c) 2017,2018 by Oleg Solovyov
+ * See LICENSE.
*/
#ifdef __FreeBSD__
@@ -9,6 +12,7 @@
#define _XOPEN_SOURCE 500
#define _XOPEN_SOURCE_EXTENDED
#define _XOPEN_VERSION 500
+#define _DEFAULT_SOURCE
#endif
#include <stdio.h>
#include <stdlib.h>
@@ -20,6 +24,10 @@
#ifdef HAVE_SHADOW
#include <shadow.h>
#endif
+#ifdef HAVE_LIBAUDIT
+#include <security/pam_modutil.h>
+#include <libaudit.h>
+#endif
#define PAM_SM_PASSWORD
#ifndef LINUX_PAM
@@ -54,73 +62,107 @@
#include "passwdqc.h"
+#include "passwdqc_i18n.h"
+
#define PROMPT_OLDPASS \
- "Enter current password: "
+ _("Enter current password: ")
#define PROMPT_NEWPASS1 \
- "Enter new password: "
+ _("Enter new password: ")
#define PROMPT_NEWPASS2 \
- "Re-type new password: "
+ _("Re-type new password: ")
#define MESSAGE_MISCONFIGURED \
- "System configuration error. Please contact your administrator."
+ _("System configuration error. Please contact your administrator.")
#define MESSAGE_INVALID_OPTION \
"pam_passwdqc: %s."
#define MESSAGE_INTRO_PASSWORD \
- "\nYou can now choose the new password.\n"
+ _("\nYou can now choose the new password.\n")
#define MESSAGE_INTRO_BOTH \
- "\nYou can now choose the new password or passphrase.\n"
+ _("\nYou can now choose the new password or passphrase.\n")
+
#define MESSAGE_EXPLAIN_PASSWORD_1CLASS \
- "A good password should be a mix of upper and lower case letters,\n" \
- "digits, and other characters. You can use a%s %d character long\n" \
- "password.\n"
-#define MESSAGE_EXPLAIN_PASSWORD_CLASSES \
- "A valid password should be a mix of upper and lower case letters,\n" \
- "digits, and other characters. You can use a%s %d character long\n" \
- "password with characters from at least %d of these 4 classes.\n" \
+ _("A good password should be a mix of upper and lower case letters,\n" \
+ "digits, and other characters. You can use a password\n" \
+ "that consists of %d characters.\n")
+
+#define MESSAGE_EXPLAIN_PASSWORD_CLASSES(count) \
+ P2_("A valid password should be a mix of upper and lower case
letters,\n" \
+ "digits, and other characters. You can use a password\n" \
+ "that consists of %d characters from at least %d of these 4 classes.\n"
\
"An upper case letter that begins the password and a digit that\n" \
- "ends it do not count towards the number of character classes used.\n"
-#define MESSAGE_EXPLAIN_PASSWORD_ALL_CLASSES \
- "A valid password should be a mix of upper and lower case letters,\n" \
- "digits, and other characters. You can use a%s %d character long\n" \
- "password with characters from all of these classes. An upper\n" \
+ "ends it do not count towards the number of character classes used.\n",
\
+ count), (count)
+#define MESSAGE_EXPLAIN_PASSWORD_ALL_CLASSES(count) \
+ P2_("A valid password should be a mix of upper and lower case
letters,\n" \
+ "digits, and other characters. You can use a password\n" \
+ "that consists of %d characters from all of these classes. An upper\n"
\
"case letter that begins the password and a digit that ends it do\n" \
- "not count towards the number of character classes used.\n"
-#define MESSAGE_EXPLAIN_PASSWORD_ALT \
- "A valid password should be a mix of upper and lower case letters,\n" \
- "digits, and other characters. You can use a%s %d character long\n" \
- "password with characters from at least 3 of these 4 classes, or\n" \
- "a%s %d character long password containing characters from all the\n" \
- "classes. An upper case letter that begins the password and a\n" \
+ "not count towards the number of character classes used.\n", \
+ count), (count)
+#define MESSAGE_EXPLAIN_PASSWORD_ALT_1(count) \
+ P2_("A valid password should be a mix of upper and lower case
letters,\n" \
+ "digits, and other characters. You can use a password\n" \
+ "that consists of %d characters from at least 3 of these 4 classes,
or\n", \
+ count), (count)
+#define MESSAGE_EXPLAIN_PASSWORD_ALT_2(count) \
+ P2_("a password containing %d characters from all the classes.\n" \
+ "An upper case letter that begins the password and a\n" \
"digit that ends it do not count towards the number of character\n" \
- "classes used.\n"
-#define MESSAGE_EXPLAIN_PASSPHRASE \
+ "classes used.\n", \
+ count), (count)
+#define MESSAGE_EXPLAIN_PASSPHRASE(count) \
+ P3_("A passphrase should be of at least %d word, %d to %d characters\n"
\
+ "long, and contain enough different characters.\n", \
"A passphrase should be of at least %d words, %d to %d characters\n" \
- "long, and contain enough different characters.\n"
+ "long, and contain enough different characters.\n", \
+ count), (count)
+
#define MESSAGE_RANDOM \
- "Alternatively, if no one else can see your terminal now, you can\n" \
- "pick this as your password: \"%s\".\n"
+ _("Alternatively, if no one else can see your terminal now, you can\n" \
+ "pick this as your password: \"%s\".\n")
#define MESSAGE_RANDOMONLY \
- "This system is configured to permit randomly generated passwords\n" \
+ _("This system is configured to permit randomly generated passwords\n" \
"only. If no one else can see your terminal now, you can pick this\n" \
- "as your password: \"%s\". Otherwise come back later.\n"
+ "as your password: \"%s\". Otherwise come back later.\n")
#define MESSAGE_RANDOMFAILED \
- "This system is configured to use randomly generated passwords\n" \
+ _("This system is configured to use randomly generated passwords\n" \
"only, but the attempt to generate a password has failed. This\n" \
"could happen for a number of reasons: you could have requested\n" \
"an impossible password length, or the access to kernel random\n" \
- "number pool could have failed."
+ "number pool could have failed.")
#define MESSAGE_TOOLONG \
- "This password may be too long for some services. Choose another."
+ _("This password may be too long for some services. Choose another.")
#define MESSAGE_TRUNCATED \
- "Warning: your longer password will be truncated to 8 characters."
+ _("Warning: your longer password will be truncated to 8 characters.")
#define MESSAGE_WEAKPASS \
- "Weak password: %s."
+ _("Weak password: %s.")
#define MESSAGE_NOTRANDOM \
- "Sorry, you've mistyped the password that was generated for you."
+ _("Sorry, you've mistyped the password that was generated for you.")
#define MESSAGE_MISTYPED \
- "Sorry, passwords do not match."
+ _("Sorry, passwords do not match.")
#define MESSAGE_RETRY \
- "Try again."
+ _("Try again.")
+
+static int logaudit(pam_handle_t *pamh, int status, int flags)
+{
+#ifdef HAVE_LIBAUDIT
+ if (!(flags & F_NO_AUDIT)) {
+ int rc;
+
+ rc = pam_modutil_audit_write(pamh, AUDIT_USER_CHAUTHTOK,
+ "pam_passwdqc", status);
+
+ return status != PAM_SUCCESS ? status : rc;
+ } else {
+ /* audit is disabled */
+ return status;
+ }
+#else /* !HAVE_LIBAUDIT */
+ (void) pamh;
+ (void) flags;
+ return status;
+#endif
+}
static int converse(pam_handle_t *pamh, int style, l_const char *text,
struct pam_response **resp)
@@ -165,7 +207,7 @@
} else {
status = PAM_ABORT;
}
- memset(buffer, 0, sizeof(buffer));
+ _passwdqc_memzero(buffer, sizeof(buffer));
return status;
}
@@ -173,7 +215,7 @@
static int check_max(passwdqc_params_qc_t *qc, pam_handle_t *pamh,
const char *newpass)
{
- if ((int)strlen(newpass) > qc->max) {
+ if (strlen(newpass) > (size_t)qc->max) {
if (qc->max != 8) {
say(pamh, PAM_ERROR_MSG, MESSAGE_TOOLONG);
return -1;
@@ -208,7 +250,7 @@
#endif
}
retval = (hash && !strcmp(hash, spw->sp_pwdp)) ? 0 : -1;
- memset(spw->sp_pwdp, 0, strlen(spw->sp_pwdp));
+ _passwdqc_memzero(spw->sp_pwdp, strlen(spw->sp_pwdp));
return retval;
}
#endif
@@ -217,7 +259,7 @@
if (strlen(pw->pw_passwd) >= 13)
hash = crypt(pass, pw->pw_passwd);
retval = (hash && !strcmp(hash, pw->pw_passwd)) ? 0 : -1;
- memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
+ _passwdqc_memzero(pw->pw_passwd, strlen(pw->pw_passwd));
return retval;
}
@@ -285,7 +327,7 @@
}
if (status != PAM_SUCCESS)
- return status;
+ return logaudit(pamh, status, params.pam.flags);
}
if (flags & PAM_PRELIM_CHECK)
@@ -293,18 +335,20 @@
status = pam_get_item(pamh, PAM_USER, &item);
if (status != PAM_SUCCESS)
- return status;
+ return logaudit(pamh, status, params.pam.flags);
user = item;
status = pam_get_item(pamh, PAM_OLDAUTHTOK, &item);
if (status != PAM_SUCCESS)
- return status;
+ return logaudit(pamh, status, params.pam.flags);
oldpass = item;
if (params.pam.flags & F_NON_UNIX) {
pw = &fake_pw;
+ memset(pw, 0, sizeof(*pw));
pw->pw_name = (char *)user;
pw->pw_gecos = "";
+ pw->pw_dir = "";
} else {
/* As currently implemented, we don't avoid timing leaks for valid vs. not
* usernames and hashes. Normally, the username would have already been
@@ -313,13 +357,13 @@
pw = getpwnam(user);
endpwent();
if (!pw)
- return PAM_USER_UNKNOWN;
+ return logaudit(pamh, PAM_USER_UNKNOWN,
params.pam.flags);
if ((params.pam.flags & F_CHECK_OLDAUTHTOK) && !am_root(pamh)
&& (!oldpass || check_pass(pw, oldpass)))
status = PAM_AUTH_ERR;
- memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
+ _passwdqc_memzero(pw->pw_passwd, strlen(pw->pw_passwd));
if (status != PAM_SUCCESS)
- return status;
+ return logaudit(pamh, status, params.pam.flags);
}
randomonly = params.qc.min[4] > params.qc.max;
@@ -332,11 +376,11 @@
if (params.pam.flags & F_USE_AUTHTOK) {
status = pam_get_item(pamh, PAM_AUTHTOK, &item);
if (status != PAM_SUCCESS)
- return status;
+ return logaudit(pamh, status, params.pam.flags);
newpass = item;
if (!newpass ||
(check_max(¶ms.qc, pamh, newpass) && enforce))
- return PAM_AUTHTOK_ERR;
+ return logaudit(pamh, PAM_AUTHTOK_ERR,
params.pam.flags);
check_reason =
passwdqc_check(¶ms.qc, newpass, oldpass, pw);
if (check_reason) {
@@ -345,7 +389,7 @@
if (enforce)
status = PAM_AUTHTOK_ERR;
}
- return status;
+ return logaudit(pamh, status, params.pam.flags);
}
retries_left = params.pam.retry;
@@ -359,41 +403,38 @@
else
status = say(pamh, PAM_TEXT_INFO, MESSAGE_INTRO_PASSWORD);
if (status != PAM_SUCCESS)
- return status;
+ return logaudit(pamh, status, params.pam.flags);
if (!randomonly && params.qc.min[0] == params.qc.min[4])
status = say(pamh, PAM_TEXT_INFO,
MESSAGE_EXPLAIN_PASSWORD_1CLASS,
- params.qc.min[4] == 8 || params.qc.min[4] == 11 ? "n" : "",
params.qc.min[4]);
+
else if (!randomonly && params.qc.min[3] == params.qc.min[4])
status = say(pamh, PAM_TEXT_INFO,
- MESSAGE_EXPLAIN_PASSWORD_CLASSES,
- params.qc.min[4] == 8 || params.qc.min[4] == 11 ? "n" : "",
- params.qc.min[4],
+ MESSAGE_EXPLAIN_PASSWORD_CLASSES(params.qc.min[4]),
params.qc.min[1] != params.qc.min[3] ? 3 : 2);
else if (!randomonly && params.qc.min[3] == INT_MAX)
status = say(pamh, PAM_TEXT_INFO,
- MESSAGE_EXPLAIN_PASSWORD_ALL_CLASSES,
- params.qc.min[4] == 8 || params.qc.min[4] == 11 ? "n" : "",
- params.qc.min[4]);
- else if (!randomonly)
+ MESSAGE_EXPLAIN_PASSWORD_ALL_CLASSES(params.qc.min[4]));
+ else if (!randomonly) {
status = say(pamh, PAM_TEXT_INFO,
- MESSAGE_EXPLAIN_PASSWORD_ALT,
- params.qc.min[3] == 8 || params.qc.min[3] == 11 ? "n" : "",
- params.qc.min[3],
- params.qc.min[4] == 8 || params.qc.min[4] == 11 ? "n" : "",
- params.qc.min[4]);
+ MESSAGE_EXPLAIN_PASSWORD_ALT_1(params.qc.min[3]));
+ if (status == PAM_SUCCESS) {
+ status = say(pamh, PAM_TEXT_INFO,
+ MESSAGE_EXPLAIN_PASSWORD_ALT_2(params.qc.min[4]));
+ }
+ }
if (status != PAM_SUCCESS)
- return status;
+ return logaudit(pamh, status, params.pam.flags);
if (!randomonly &&
params.qc.passphrase_words && params.qc.min[2] <= params.qc.max) {
- status = say(pamh, PAM_TEXT_INFO, MESSAGE_EXPLAIN_PASSPHRASE,
- params.qc.passphrase_words,
+ status = say(pamh, PAM_TEXT_INFO,
+ MESSAGE_EXPLAIN_PASSPHRASE(params.qc.passphrase_words),
params.qc.min[2], params.qc.max);
if (status != PAM_SUCCESS)
- return status;
+ return logaudit(pamh, status, params.pam.flags);
}
randompass = passwdqc_random(¶ms.qc);
@@ -407,7 +448,7 @@
} else if (randomonly) {
say(pamh, PAM_ERROR_MSG, am_root(pamh) ?
MESSAGE_RANDOMFAILED : MESSAGE_MISCONFIGURED);
- return PAM_AUTHTOK_ERR;
+ return logaudit(pamh, PAM_AUTHTOK_ERR, params.pam.flags);
}
status = converse(pamh, PAM_PROMPT_ECHO_OFF, PROMPT_NEWPASS1, &resp);
@@ -417,7 +458,7 @@
if (status != PAM_SUCCESS) {
pwqc_overwrite_string(randompass);
pwqc_drop_mem(randompass);
- return status;
+ return logaudit(pamh, status, params.pam.flags);
}
trypass = strdup(resp->resp);
@@ -427,7 +468,7 @@
if (!trypass) {
pwqc_overwrite_string(randompass);
pwqc_drop_mem(randompass);
- return PAM_AUTHTOK_ERR;
+ return logaudit(pamh, PAM_AUTHTOK_ERR, params.pam.flags);
}
if (check_max(¶ms.qc, pamh, trypass) && enforce) {
@@ -484,7 +525,7 @@
goto retry;
}
- return status;
+ return logaudit(pamh, status, params.pam.flags);
}
#ifdef PAM_MODULE_ENTRY
diff -Nru passwdqc-1.3.0/passwdqc_check.c passwdqc-1.4.0/passwdqc_check.c
--- passwdqc-1.3.0/passwdqc_check.c 2013-04-23 21:16:03.000000000 -0400
+++ passwdqc-1.4.0/passwdqc_check.c 2019-12-16 05:34:46.000000000 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000-2002,2010,2013 by Solar Designer. See LICENSE.
+ * Copyright (c) 2000-2002,2010,2013,2016 by Solar Designer. See LICENSE.
*/
#include <stdio.h>
@@ -11,32 +11,34 @@
#include "passwdqc.h"
#include "wordset_4k.h"
+#include "passwdqc_i18n.h"
+
#define REASON_ERROR \
- "check failed"
+ _("check failed")
#define REASON_SAME \
- "is the same as the old one"
+ _("is the same as the old one")
#define REASON_SIMILAR \
- "is based on the old one"
+ _("is based on the old one")
#define REASON_SHORT \
- "too short"
+ _("too short")
#define REASON_LONG \
- "too long"
+ _("too long")
#define REASON_SIMPLESHORT \
- "not enough different characters or classes for this length"
+ _("not enough different characters or classes for this length")
#define REASON_SIMPLE \
- "not enough different characters or classes"
+ _("not enough different characters or classes")
#define REASON_PERSONAL \
- "based on personal login information"
+ _("based on personal login information")
#define REASON_WORD \
- "based on a dictionary word and not a passphrase"
+ _("based on a dictionary word and not a passphrase")
#define REASON_SEQ \
- "based on a common sequence of characters and not a passphrase"
+ _("based on a common sequence of characters and not a passphrase")
#define FIXED_BITS 15
@@ -237,10 +239,10 @@
static void clean(char *dst)
{
- if (dst) {
- memset(dst, 0, strlen(dst));
- free(dst);
- }
+ if (!dst)
+ return;
+ _passwdqc_memzero(dst, strlen(dst));
+ free(dst);
}
/*
@@ -443,7 +445,7 @@
char *u_oldpass;
char *u_name, *u_gecos, *u_dir;
const char *reason;
- int length;
+ size_t length;
u_newpass = u_reversed = NULL;
u_oldpass = NULL;
@@ -451,23 +453,24 @@
reason = REASON_ERROR;
- if (oldpass && !strcmp(oldpass, newpass)) {
- reason = REASON_SAME;
- goto out;
- }
-
length = strlen(newpass);
- if (length < params->min[4]) {
+ if (length < (size_t)params->min[4]) {
reason = REASON_SHORT;
goto out;
}
- if (length > params->max) {
+ if (length > 10000) {
+ reason = REASON_LONG;
+ goto out;
+ }
+
+ if (length > (size_t)params->max) {
if (params->max == 8) {
truncated[0] = '\0';
strncat(truncated, newpass, 8);
newpass = truncated;
+ length = 8;
if (oldpass && !strncmp(oldpass, newpass, 8)) {
reason = REASON_SAME;
goto out;
@@ -478,9 +481,15 @@
}
}
+ if (oldpass && !strcmp(oldpass, newpass)) {
+ reason = REASON_SAME;
+ goto out;
+ }
+
if (is_simple(params, newpass, 0, 0)) {
reason = REASON_SIMPLE;
- if (length < params->min[1] && params->min[1] <= params->max)
+ if (length < (size_t)params->min[1] &&
+ params->min[1] <= params->max)
reason = REASON_SIMPLESHORT;
goto out;
}
@@ -521,7 +530,7 @@
reason = is_word_based(params, u_reversed, newpass, 0x100);
out:
- memset(truncated, 0, sizeof(truncated));
+ _passwdqc_memzero(truncated, sizeof(truncated));
clean(u_newpass);
clean(u_reversed);
clean(u_oldpass);
diff -Nru passwdqc-1.3.0/passwdqc.conf.5 passwdqc-1.4.0/passwdqc.conf.5
--- passwdqc-1.3.0/passwdqc.conf.5 2013-04-23 10:14:07.000000000 -0400
+++ passwdqc-1.4.0/passwdqc.conf.5 2019-12-18 13:06:30.000000000 -0500
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2000-2003,2005,2008 Solar Designer
+.\" Copyright (c) 2000-2003,2005,2008,2019 Solar Designer
.\" All rights reserved.
.\" Copyright (c) 2001 Networks Associates Technology, Inc.
.\" All rights reserved.
@@ -35,9 +35,9 @@
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD: src/lib/libpam/modules/pam_passwdqc/pam_passwdqc.8,v 1.4
2002/05/30 14:49:57 ru Exp $
-.\" $Owl: Owl/packages/passwdqc/passwdqc/passwdqc.conf.5,v 1.11 2013/04/23
14:14:07 solar Exp $
+.\" $Owl: Owl/packages/passwdqc/passwdqc/passwdqc.conf.5,v 1.15 2019/12/16
22:53:55 ldv Exp $
.\"
-.Dd March 13, 2010
+.Dd December 16, 2019
.Dt PASSWDQC.CONF 5
.Os "Openwall Project"
.Sh NAME
@@ -244,14 +244,21 @@
.Cm use_authtok
is that the former is incompatible with
.Cm ask_oldauthtok .
+.It Cm noaudit
+If audit is enabled at build time, the PAM module logs audit events once
+user tries to change their credentials. This option disables that audit
+logging.
.El
.Sh FILES
-.Pa /etc/passwdqc.conf .
+.Pa /etc/passwdqc.conf
+(not read unless this suggested file location is specified with the
+.Cm config=/etc/passwdqc.conf
+option).
.Sh SEE ALSO
.Xr getpwnam 3 ,
.Xr pam_passwdqc 8 .
.Pp
-http://www.openwall.com/passwdqc/
+https://www.openwall.com/passwdqc/
.Sh AUTHORS
The pam_passwdqc module was written for Openwall GNU/*/Linux by
.An Solar Designer Aq solar at openwall.com .
diff -Nru passwdqc-1.3.0/passwdqc.h passwdqc-1.4.0/passwdqc.h
--- passwdqc-1.3.0/passwdqc.h 2013-04-23 21:45:10.000000000 -0400
+++ passwdqc-1.4.0/passwdqc.h 2019-12-25 12:09:02.000000000 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000-2002 by Solar Designer
+ * Copyright (c) 2000-2002,2016,2019 by Solar Designer
* Copyright (c) 2008,2009 by Dmitry V. Levin
* See LICENSE
*/
@@ -48,7 +48,10 @@
#define F_CHECK_OLDAUTHTOK 0x00000040
#define F_USE_FIRST_PASS 0x00000100
#define F_USE_AUTHTOK 0x00000200
+#define F_NO_AUDIT 0x00000400
-#define PASSWDQC_VERSION "1.3.0"
+#define PASSWDQC_VERSION "1.4.0"
+
+extern void (*_passwdqc_memzero)(void *, size_t);
#endif /* PASSWDQC_H__ */
diff -Nru passwdqc-1.3.0/passwdqc_i18n.h passwdqc-1.4.0/passwdqc_i18n.h
--- passwdqc-1.3.0/passwdqc_i18n.h 1969-12-31 19:00:00.000000000 -0500
+++ passwdqc-1.4.0/passwdqc_i18n.h 2019-12-18 13:06:30.000000000 -0500
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2017 by Dmitry V. Levin
+ * Copyright (c) 2017 by Oleg Solovyov
+ * See LICENSE.
+ */
+
+#ifndef PASSWDQC_I18N_H__
+#define PASSWDQC_I18N_H__
+
+#ifdef ENABLE_NLS
+#include <libintl.h>
+#define _(msgid) dgettext(PACKAGE, msgid)
+#define P2_(msgid, count) (dngettext(PACKAGE, (msgid), (msgid), (count)))
+#define P3_(msgid, msgid_plural, count) (dngettext(PACKAGE, (msgid),
(msgid_plural), (count)))
+#define N_(msgid) msgid
+#else
+#define _(msgid) (msgid)
+#define P2_(msgid, count) (msgid)
+#define P3_(msgid, msgid_plural, count) ((count) == 1 ? (msgid) :
(msgid_plural))
+#define N_(msgid) msgid
+#endif
+
+#endif /* PASSWDQC_I18N_H__ */
diff -Nru passwdqc-1.3.0/passwdqc_memzero.c passwdqc-1.4.0/passwdqc_memzero.c
--- passwdqc-1.3.0/passwdqc_memzero.c 1969-12-31 19:00:00.000000000 -0500
+++ passwdqc-1.4.0/passwdqc_memzero.c 2016-07-20 21:01:59.000000000 -0400
@@ -0,0 +1,12 @@
+/*
+ * Copyright (c) 2016 by Solar Designer. See LICENSE.
+ */
+
+#include <string.h>
+
+static void memzero(void *buf, size_t len)
+{
+ memset(buf, 0, len);
+}
+
+void (*_passwdqc_memzero)(void *, size_t) = memzero;
diff -Nru passwdqc-1.3.0/passwdqc_parse.c passwdqc-1.4.0/passwdqc_parse.c
--- passwdqc-1.3.0/passwdqc_parse.c 2013-04-23 09:52:53.000000000 -0400
+++ passwdqc-1.4.0/passwdqc_parse.c 2019-12-16 05:34:46.000000000 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000-2003,2005 by Solar Designer
+ * Copyright (c) 2000-2003,2005,2016 by Solar Designer
* Copyright (c) 2008,2009 by Dmitry V. Levin
* See LICENSE
*/
@@ -54,6 +54,8 @@
v = strtoul(p, &e, 10);
if (*e || v < 8 || v > INT_MAX)
goto parse_error;
+ if (v > 10000)
+ v = 10000;
params->qc.max = v;
} else if ((p = skip_prefix(option, "passphrase="))) {
v = strtoul(p, &e, 10);
@@ -118,6 +120,8 @@
params->pam.flags |= F_USE_FIRST_PASS | F_USE_AUTHTOK;
} else if (!strcmp(option, "use_authtok")) {
params->pam.flags |= F_USE_AUTHTOK;
+ } else if (!strcmp(option, "noaudit")) {
+ params->pam.flags |= F_NO_AUDIT;
} else if ((p = skip_prefix(option, "config="))) {
if ((rc = passwdqc_params_load(params, reason, p)))
goto parse_error;
diff -Nru passwdqc-1.3.0/passwdqc_random.c passwdqc-1.4.0/passwdqc_random.c
--- passwdqc-1.3.0/passwdqc_random.c 2013-04-23 10:00:38.000000000 -0400
+++ passwdqc-1.4.0/passwdqc_random.c 2016-07-20 16:31:47.000000000 -0400
@@ -1,5 +1,6 @@
/*
- * Copyright (c) 2000-2002,2005,2008,2010,2013 by Solar Designer. See LICENSE.
+ * Copyright (c) 2000-2002,2005,2008,2010,2013,2016 by Solar Designer
+ * See LICENSE
*/
#include <stdio.h>
@@ -204,8 +205,8 @@
}
out:
- memset(bytes, 0, sizeof(bytes));
- memset(output, 0, length);
+ _passwdqc_memzero(bytes, sizeof(bytes));
+ _passwdqc_memzero(output, length);
close(fd);
diff -Nru passwdqc-1.3.0/passwdqc.spec passwdqc-1.4.0/passwdqc.spec
--- passwdqc-1.3.0/passwdqc.spec 2013-04-23 22:02:54.000000000 -0400
+++ passwdqc-1.4.0/passwdqc.spec 2019-12-25 12:09:02.000000000 -0500
@@ -1,13 +1,13 @@
-# $Owl: Owl/packages/passwdqc/passwdqc/passwdqc.spec,v 1.63 2013/04/24
02:02:54 solar Exp $
+# $Owl: Owl/packages/passwdqc/passwdqc/passwdqc.spec,v 1.67 2019/12/25
11:42:06 ldv Exp $
Summary: A password/passphrase strength checking and policy enforcement
toolset.
Name: passwdqc
-Version: 1.3.0
+Version: 1.4.0
Release: owl1
License: BSD-compatible
Group: System Environment/Base
-URL: http://www.openwall.com/passwdqc/
-Source: http://www.openwall.com/passwdqc/%name-%version.tar.gz
+URL: https://www.openwall.com/passwdqc/
+Source: https://www.openwall.com/passwdqc/%name-%version.tar.gz
Provides: pam_passwdqc = %version-%release
Obsoletes: pam_passwdqc < %version-%release
BuildRequires: pam-devel
@@ -73,6 +73,39 @@
%_libdir/lib*.so
%changelog
+* Wed Dec 25 2019 Dmitry V. Levin <ldv-at-owl.openwall.com> 1.4.0-owl1
+- Implemented i18n support in pam_passwdqc, contributed by Oleg Solovyov,
+Andrey Cherepanov, and me. The i18n support is off by default, it can be
+enabled if Linux-PAM is built using --enable-nls configure option.
+- Implemented audit support in pam_passwdqc, contributed by Oleg Solovyov
+and me. The audit support is off by default, it can be enabled if Linux-PAM
+is built using --enable-audit configure option.
+
+* Mon Dec 09 2019 Solar Designer <solar-at-owl.openwall.com> 1.3.2-owl1
+- Define _DEFAULT_SOURCE for our use of crypt(3) on newer glibc.
+The problem was identified and this change tested by Dmitry V. Levin.
+- Clarified in the man pages that /etc/passwdqc.conf is not read unless this
+suggested file location is specified with the config= option.
+- Clarified the OpenBSD configuration example.
+- Escape the minus sign in the OpenBSD configuration example to make the
+manpage linter happy, patch by Jackson Doak via Unit 193:
+https://www.openwall.com/lists/passwdqc-users/2019/04/16/1
+
+* Wed Jul 20 2016 Solar Designer <solar-at-owl.openwall.com> 1.3.1-owl1
+- With "non-unix", initialize the pw_dir field in fake_pw now that (since
+passwdqc 1.1.3 in 2009) passwdqc_check.c uses that field.
+Bug reported by Jim Paris via Debian: https://bugs.debian.org/831356
+- Use size_t for variables holding strlen() return values.
+- Cap "max" at 10000 (in case a config set it higher; the default remains 40).
+- Check against the shortest allowed password length prior to checking against
+the old password (this affects reporting when the old password is empty).
+- For zeroization of sensitive data, use a wrapper around memset() called via
+a function pointer to reduce the likelihood of a compiler optimizing those
+calls out and to allow for overriding of this function with an OS-specific
+"secure" memory zeroization function.
+- In pwqgen, set stdout to non-buffered, and zeroize and free our own buffer
+holding the generated password.
+
* Wed Apr 24 2013 Solar Designer <solar-at-owl.openwall.com> 1.3.0-owl1
- When checking is_simple() after discounting a common character sequence,
apply the (negative) bias even for the passphrase length check. Previously,
diff -Nru passwdqc-1.3.0/PLATFORMS passwdqc-1.4.0/PLATFORMS
--- passwdqc-1.3.0/PLATFORMS 2010-06-22 19:07:24.000000000 -0400
+++ passwdqc-1.4.0/PLATFORMS 2019-12-09 18:04:53.000000000 -0500
@@ -24,8 +24,9 @@
OpenBSD.
OpenBSD does not use PAM, however it is able to use passwdqc's pwqcheck
-program. Insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\" into
-the "default" section in /etc/login.conf.
+program. Insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\"
+(without the quotes, but with the trailing backslash) into the "default"
+section in /etc/login.conf.
Solaris, HP-UX 11.
@@ -51,6 +52,6 @@
There's a wiki page with detailed instructions specific to Solaris:
-http://openwall.info/wiki/passwdqc/solaris
+https://openwall.info/wiki/passwdqc/solaris
-$Owl: Owl/packages/passwdqc/passwdqc/PLATFORMS,v 1.15 2010/06/22 23:07:24
solar Exp $
+$Owl: Owl/packages/passwdqc/passwdqc/PLATFORMS,v 1.17 2019/12/09 23:04:53
solar Exp $
diff -Nru passwdqc-1.3.0/po/passwdqc.pot passwdqc-1.4.0/po/passwdqc.pot
--- passwdqc-1.3.0/po/passwdqc.pot 1969-12-31 19:00:00.000000000 -0500
+++ passwdqc-1.4.0/po/passwdqc.pot 2019-12-15 19:31:02.000000000 -0500
@@ -0,0 +1,217 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2017-08-10 15:00+0300\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <l...@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n"
+
+#: pam_passwdqc.c:60
+msgid "Enter current password: "
+msgstr ""
+
+#: pam_passwdqc.c:62
+msgid "Enter new password: "
+msgstr ""
+
+#: pam_passwdqc.c:64
+msgid "Re-type new password: "
+msgstr ""
+
+#: pam_passwdqc.c:67
+msgid "System configuration error. Please contact your administrator."
+msgstr ""
+
+#: pam_passwdqc.c:71
+msgid ""
+"\n"
+"You can now choose the new password.\n"
+msgstr ""
+
+#: pam_passwdqc.c:73
+msgid ""
+"\n"
+"You can now choose the new password or passphrase.\n"
+msgstr ""
+
+#: pam_passwdqc.c:76
+#, c-format
+msgid ""
+"A good password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters.\n"
+msgstr ""
+
+#: pam_passwdqc.c:81
+#, c-format
+msgid ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from at least %d of these 4 classes.\n"
+"An upper case letter that begins the password and a digit that\n"
+"ends it do not count towards the number of character classes used.\n"
+msgid_plural ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from at least %d of these 4 classes.\n"
+"An upper case letter that begins the password and a digit that\n"
+"ends it do not count towards the number of character classes used.\n"
+msgstr[0] ""
+msgstr[1] ""
+
+#: pam_passwdqc.c:88
+#, c-format
+msgid ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from all of these classes. An upper\n"
+"case letter that begins the password and a digit that ends it do\n"
+"not count towards the number of character classes used.\n"
+msgid_plural ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from all of these classes. An upper\n"
+"case letter that begins the password and a digit that ends it do\n"
+"not count towards the number of character classes used.\n"
+msgstr[0] ""
+msgstr[1] ""
+
+#: pam_passwdqc.c:95
+#, c-format
+msgid ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from at least 3 of these 4 classes, or\n"
+msgid_plural ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from at least 3 of these 4 classes, or\n"
+msgstr[0] ""
+msgstr[1] ""
+
+#: pam_passwdqc.c:100
+#, c-format
+msgid ""
+"a password containing %d characters from all the classes.\n"
+"An upper case letter that begins the password and a\n"
+"digit that ends it do not count towards the number of character\n"
+"classes used.\n"
+msgid_plural ""
+"a password containing %d characters from all the classes.\n"
+"An upper case letter that begins the password and a\n"
+"digit that ends it do not count towards the number of character\n"
+"classes used.\n"
+msgstr[0] ""
+msgstr[1] ""
+
+#: pam_passwdqc.c:106
+#, c-format
+msgid ""
+"A passphrase should be of at least %d word, %d to %d characters\n"
+"long, and contain enough different characters.\n"
+msgid_plural ""
+"A passphrase should be of at least %d words, %d to %d characters\n"
+"long, and contain enough different characters.\n"
+msgstr[0] ""
+msgstr[1] ""
+
+#: pam_passwdqc.c:113
+#, c-format
+msgid ""
+"Alternatively, if no one else can see your terminal now, you can\n"
+"pick this as your password: \"%s\".\n"
+msgstr ""
+
+#: pam_passwdqc.c:116
+#, c-format
+msgid ""
+"This system is configured to permit randomly generated passwords\n"
+"only. If no one else can see your terminal now, you can pick this\n"
+"as your password: \"%s\". Otherwise come back later.\n"
+msgstr ""
+
+#: pam_passwdqc.c:120
+msgid ""
+"This system is configured to use randomly generated passwords\n"
+"only, but the attempt to generate a password has failed. This\n"
+"could happen for a number of reasons: you could have requested\n"
+"an impossible password length, or the access to kernel random\n"
+"number pool could have failed."
+msgstr ""
+
+#: pam_passwdqc.c:126
+msgid "This password may be too long for some services. Choose another."
+msgstr ""
+
+#: pam_passwdqc.c:128
+msgid "Warning: your longer password will be truncated to 8 characters."
+msgstr ""
+
+#: pam_passwdqc.c:130
+#, c-format
+msgid "Weak password: %s."
+msgstr ""
+
+#: pam_passwdqc.c:132
+msgid "Sorry, you've mistyped the password that was generated for you."
+msgstr ""
+
+#: pam_passwdqc.c:134
+msgid "Sorry, passwords do not match."
+msgstr ""
+
+#: pam_passwdqc.c:136
+msgid "Try again."
+msgstr ""
+
+#: passwdqc_check.c:17
+msgid "check failed"
+msgstr ""
+
+#: passwdqc_check.c:20
+msgid "is the same as the old one"
+msgstr ""
+
+#: passwdqc_check.c:22
+msgid "is based on the old one"
+msgstr ""
+
+#: passwdqc_check.c:25
+msgid "too short"
+msgstr ""
+
+#: passwdqc_check.c:27
+msgid "too long"
+msgstr ""
+
+#: passwdqc_check.c:30
+msgid "not enough different characters or classes for this length"
+msgstr ""
+
+#: passwdqc_check.c:32
+msgid "not enough different characters or classes"
+msgstr ""
+
+#: passwdqc_check.c:35
+msgid "based on personal login information"
+msgstr ""
+
+#: passwdqc_check.c:38
+msgid "based on a dictionary word and not a passphrase"
+msgstr ""
+
+#: passwdqc_check.c:41
+msgid "based on a common sequence of characters and not a passphrase"
+msgstr ""
diff -Nru passwdqc-1.3.0/po/ru.po passwdqc-1.4.0/po/ru.po
--- passwdqc-1.3.0/po/ru.po 1969-12-31 19:00:00.000000000 -0500
+++ passwdqc-1.4.0/po/ru.po 2019-12-15 19:31:02.000000000 -0500
@@ -0,0 +1,295 @@
+# A passphrase strength checking and policy enforcement toolset.
+# Copyright (c) 2000-2003,2005,2008,2010,2013,2016 by Solar Designer
+# Copyright (c) 2008,2009 by Dmitry V. Levin
+# This file is distributed under the same license as the passwdqc package.
+#
+# Oleg Solovyov <mcp...@altlinux.org>, 2017.
+# Andrey Cherepanov <c...@altlinux.org>, 2017.
+msgid ""
+msgstr ""
+"Project-Id-Version: passwdqc 1.3.1\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2017-08-10 15:00+0300\n"
+"PO-Revision-Date: 2017-08-10 15:00+0300\n"
+"Last-Translator: Andrey Cherepanov <c...@altlinux.org>\n"
+"Language-Team: Russian\n"
+"Language: ru\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
+"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
+
+#: pam_passwdqc.c:60
+msgid "Enter current password: "
+msgstr "Введите старый пароль: "
+
+#: pam_passwdqc.c:62
+msgid "Enter new password: "
+msgstr "Введите новый пароль: "
+
+#: pam_passwdqc.c:64
+msgid "Re-type new password: "
+msgstr "Повторите новый пароль: "
+
+#: pam_passwdqc.c:67
+msgid "System configuration error. Please contact your administrator."
+msgstr "Ошибка настройки системы. Свяжитесь с вашим администратором."
+
+#: pam_passwdqc.c:71
+msgid ""
+"\n"
+"You can now choose the new password.\n"
+msgstr ""
+"\n"
+"Вы можете выбрать новый пароль.\n"
+
+#: pam_passwdqc.c:73
+msgid ""
+"\n"
+"You can now choose the new password or passphrase.\n"
+msgstr ""
+"\n"
+"Вы можете выбрать новый пароль или парольную фразу.\n"
+
+#: pam_passwdqc.c:76
+#, c-format
+msgid ""
+"A good password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters.\n"
+msgstr ""
+"В хорошем пароле приветствуется наличие заглавных и строчных букв,\n"
+"цифр и прочих символов. Пароль должен содержать достаточное \n"
+"количество символов (не менее %d).\n"
+
+#: pam_passwdqc.c:81
+#, c-format
+msgid ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from at least %d of these 4 classes.\n"
+"An upper case letter that begins the password and a digit that\n"
+"ends it do not count towards the number of character classes used.\n"
+msgid_plural ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from at least %d of these 4 classes.\n"
+"An upper case letter that begins the password and a digit that\n"
+"ends it do not count towards the number of character classes used.\n"
+msgstr[0] ""
+"Пароль должен содержать заглавные, строчные буквы, цифры и другие\n"
+"символы и может содержать от %d символа, принадлежащего минимум %d классам.\n"
+"При подсчете классов не учитываются заглавная буква в начале и цифра\n"
+"в конце.\n"
+msgstr[1] ""
+"Пароль должен содержать заглавные, строчные буквы, цифры и другие\n"
+"символы и может содержать от %d символов, принадлежащих минимум %d классам.\n"
+"При подсчете классов не учитываются заглавная буква в начале и цифра\n"
+"в конце.\n"
+msgstr[2] ""
+"Пароль должен содержать заглавные, строчные буквы, цифры и другие\n"
+"символы и может содержать от %d символов, принадлежащих минимум %d классам.\n"
+"При подсчете классов не учитываются заглавная буква в начале и цифра\n"
+"в конце.\n"
+
+#: pam_passwdqc.c:88
+#, c-format
+msgid ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from all of these classes. An upper\n"
+"case letter that begins the password and a digit that ends it do\n"
+"not count towards the number of character classes used.\n"
+msgid_plural ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from all of these classes. An upper\n"
+"case letter that begins the password and a digit that ends it do\n"
+"not count towards the number of character classes used.\n"
+msgstr[0] ""
+"Пароль должен содержать заглавные, строчные буквы, цифры, другие\n"
+"символы и может содержать от %d символа, принадлежащего всем классам.\n"
+"При подсчете классов не учитываются заглавная буква в начале и цифра\n"
+"в конце.\n"
+msgstr[1] ""
+"Пароль должен содержать заглавные, строчные буквы, цифры, другие\n"
+"символы. Ваш пароль может содержать от %d символов, принадлежащих всем "
+"классам.\n"
+"При подсчете классов не учитываются заглавная буква в начале и цифра\n"
+"в конце.\n"
+msgstr[2] ""
+"Пароль должен содержать заглавные, строчные буквы, цифры, другие\n"
+"символы. Ваш пароль может содержать от %d символов, принадлежащих всем "
+"классам.\n"
+"При подсчете классов не учитываются заглавная буква в начале и цифра\n"
+"в конце.\n"
+
+#: pam_passwdqc.c:95
+#, c-format
+msgid ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from at least 3 of these 4 classes, or\n"
+msgid_plural ""
+"A valid password should be a mix of upper and lower case letters,\n"
+"digits, and other characters. You can use a password\n"
+"that consists of %d characters from at least 3 of these 4 classes, or\n"
+msgstr[0] ""
+"Пароль должен содержать заглавные, строчные буквы,\n"
+"цифры и другие символы и может содержать от %d символа, принадлежащего "
+"минимум 3 классам из 4, или \n"
+msgstr[1] ""
+"Пароль должен содержать заглавные, строчные буквы,\n"
+"цифры и другие символы и может содержать от %d символов, принадлежащих "
+"минимум 3 классам из 4, или \n"
+msgstr[2] ""
+"Пароль должен содержать заглавные, строчные буквы,\n"
+"цифры и другие символы и может содержать от %d символов, принадлежащих "
+"минимум 3 классам из 4, или \n"
+
+#: pam_passwdqc.c:100
+#, c-format
+msgid ""
+"a password containing %d characters from all the classes.\n"
+"An upper case letter that begins the password and a\n"
+"digit that ends it do not count towards the number of character\n"
+"classes used.\n"
+msgid_plural ""
+"a password containing %d characters from all the classes.\n"
+"An upper case letter that begins the password and a\n"
+"digit that ends it do not count towards the number of character\n"
+"classes used.\n"
+msgstr[0] ""
+"от %d символа, принадлежащего всем классам.\n"
+"При подсчете классов не учитываются заглавная буква в начале и цифра в "
+"конце.\n"
+msgstr[1] ""
+"от %d символов, принадлежащих всем классам.\n"
+"При подсчете классов не учитываются заглавная буква в начале и цифра в "
+"конце.\n"
+msgstr[2] ""
+"от %d символов, принадлежащих всем классам.\n"
+"При подсчете классов не учитываются заглавная буква в начале и цифра в "
+"конце.\n"
+
+#: pam_passwdqc.c:106
+#, c-format
+msgid ""
+"A passphrase should be of at least %d word, %d to %d characters\n"
+"long, and contain enough different characters.\n"
+msgid_plural ""
+"A passphrase should be of at least %d words, %d to %d characters\n"
+"long, and contain enough different characters.\n"
+msgstr[0] ""
+"Парольная фраза должна состоять как минимум из %d слова, и содержать\n"
+"от %d до %d символов, среди которых достаточно различных.\n"
+msgstr[1] ""
+"Парольная фраза должна состоять как минимум из %d слов, и содержать\n"
+"от %d до %d символов, среди которых достаточно различных.\n"
+msgstr[2] ""
+"Парольная фраза должна состоять как минимум из %d слов, и содержать\n"
+"от %d до %d символов, среди которых достаточно различных.\n"
+
+#: pam_passwdqc.c:113
+#, c-format
+msgid ""
+"Alternatively, if no one else can see your terminal now, you can\n"
+"pick this as your password: \"%s\".\n"
+msgstr ""
+"Если ваш терминал никто не видит, вы можете набрать предлагаемый пароль: \"%"
+"s\".\n"
+
+#: pam_passwdqc.c:116
+#, c-format
+msgid ""
+"This system is configured to permit randomly generated passwords\n"
+"only. If no one else can see your terminal now, you can pick this\n"
+"as your password: \"%s\". Otherwise come back later.\n"
+msgstr ""
+"Система настроена на использование только случайно генерированных паролей.\n"
+"Если ваш терминал никто не видит, вы можете набрать предлагаемый пароль: "
+"\"%s\".\n"
+"В противном случае попробуйте повторить попытку позже.\n"
+
+#: pam_passwdqc.c:120
+msgid ""
+"This system is configured to use randomly generated passwords\n"
+"only, but the attempt to generate a password has failed. This\n"
+"could happen for a number of reasons: you could have requested\n"
+"an impossible password length, or the access to kernel random\n"
+"number pool could have failed."
+msgstr ""
+"Система настроена на использование только случайно генерированных паролей, "
+"но\n"
+"создать пароль не удалось. Это могло произойти по нескольким\n"
+"причинам: вы запросили слишком длинный пароль, либо было отказано в доступе\n"
+"к пулу случайных чисел ядра."
+
+#: pam_passwdqc.c:126
+msgid "This password may be too long for some services. Choose another."
+msgstr ""
+"Этот пароль может оказаться слишком длинным для некоторых служб. Выберите "
+"другой."
+
+#: pam_passwdqc.c:128
+msgid "Warning: your longer password will be truncated to 8 characters."
+msgstr "Внимание: ваш пароль будет усечён до 8 символов."
+
+#: pam_passwdqc.c:130
+#, c-format
+msgid "Weak password: %s."
+msgstr "Слабый пароль: %s."
+
+#: pam_passwdqc.c:132
+msgid "Sorry, you've mistyped the password that was generated for you."
+msgstr "Извините, вы ошиблись при вводе созданного для вас пароля."
+
+#: pam_passwdqc.c:134
+msgid "Sorry, passwords do not match."
+msgstr "Пароли не совпадают."
+
+#: pam_passwdqc.c:136
+msgid "Try again."
+msgstr "Попробуйте ещё раз."
+
+#: passwdqc_check.c:17
+msgid "check failed"
+msgstr "проверка не удалась"
+
+#: passwdqc_check.c:20
+msgid "is the same as the old one"
+msgstr "совпадает со старым"
+
+#: passwdqc_check.c:22
+msgid "is based on the old one"
+msgstr "основан на старом"
+
+#: passwdqc_check.c:25
+msgid "too short"
+msgstr "слишком короткий"
+
+#: passwdqc_check.c:27
+msgid "too long"
+msgstr "слишком длинный"
+
+#: passwdqc_check.c:30
+msgid "not enough different characters or classes for this length"
+msgstr "недостаточно символов или классов для заданной длины"
+
+#: passwdqc_check.c:32
+msgid "not enough different characters or classes"
+msgstr "недостаточно символов или классов"
+
+#: passwdqc_check.c:35
+msgid "based on personal login information"
+msgstr "основан на персональных данных"
+
+#: passwdqc_check.c:38
+msgid "based on a dictionary word and not a passphrase"
+msgstr "основан на слове из словаря и не является парольной фразой"
+
+#: passwdqc_check.c:41
+msgid "based on a common sequence of characters and not a passphrase"
+msgstr ""
+"основан на простой последовательности символов и не является парольной фразой"
diff -Nru passwdqc-1.3.0/pwqcheck.1 passwdqc-1.4.0/pwqcheck.1
--- passwdqc-1.3.0/pwqcheck.1 2010-03-15 00:17:19.000000000 -0400
+++ passwdqc-1.4.0/pwqcheck.1 2019-12-09 18:29:53.000000000 -0500
@@ -1,6 +1,6 @@
.\" Copyright (c) 2009 Dmitry V. Levin
.\" All rights reserved.
-.\" Copyright (c) 2000-2003,2005,2008,2010 Solar Designer
+.\" Copyright (c) 2000-2003,2005,2008,2010,2019 Solar Designer
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -18,9 +18,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $Owl: Owl/packages/passwdqc/passwdqc/pwqcheck.1,v 1.15 2010/03/15 04:17:19
solar Exp $
+.\" $Owl: Owl/packages/passwdqc/passwdqc/pwqcheck.1,v 1.19 2019/12/09 23:29:53
solar Exp $
.\"
-.Dd March 15, 2010
+.Dd December 9, 2019
.Dt PWQCHECK 1
.Os "Openwall Project"
.Sh NAME
@@ -160,7 +160,8 @@
This is needed to use
.Nm
as the passwordcheck program on OpenBSD - e.g., with
-":passwordcheck=/usr/bin/pwqcheck -1:\\"
+":passwordcheck=/usr/bin/pwqcheck \-1:\\"
+(without the quotes, but with the trailing backslash)
in the "default" section in
.Cm /etc/login.conf .
.It Cm -2
@@ -205,14 +206,17 @@
.Nm
also exits with non-zero status when it detects a weak passphrase.
.Sh FILES
-.Pa /etc/passwdqc.conf .
+.Pa /etc/passwdqc.conf
+(not read unless this suggested file location is specified with the
+.Cm config=/etc/passwdqc.conf
+option).
.Sh SEE ALSO
.Xr pwqgen 1 ,
.Xr passwd 5 ,
.Xr passwdqc.conf 5 ,
.Xr pam_passwdqc 8 .
.Pp
-http://www.openwall.com/passwdqc/
+https://www.openwall.com/passwdqc/
.Sh AUTHORS
The pam_passwdqc module was written for Openwall GNU/*/Linux by Solar Designer.
The
diff -Nru passwdqc-1.3.0/pwqcheck.c passwdqc-1.4.0/pwqcheck.c
--- passwdqc-1.3.0/pwqcheck.c 2010-03-14 23:46:05.000000000 -0400
+++ passwdqc-1.4.0/pwqcheck.c 2016-07-20 16:23:36.000000000 -0400
@@ -1,23 +1,24 @@
/*
* Copyright (c) 2008,2009 by Dmitry V. Levin
- * Copyright (c) 2010 by Solar Designer
+ * Copyright (c) 2010,2016 by Solar Designer
* See LICENSE
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+
#include "passwdqc.h"
-static void clean(char *dst, int size)
+static void clean(char *dst, size_t size)
{
if (!dst)
return;
- memset(dst, 0, size);
+ _passwdqc_memzero(dst, size);
free(dst);
}
-static char *read_line(unsigned int size, int eof_ok)
+static char *read_line(size_t size, int eof_ok)
{
char *p, *buf = malloc(size + 1);
@@ -73,7 +74,7 @@
return NULL;
}
if (p->pw_passwd)
- memset(p->pw_passwd, 0, strlen(p->pw_passwd));
+ _passwdqc_memzero(p->pw_passwd, strlen(p->pw_passwd));
memcpy(pw, p, sizeof(*pw));
} else {
memset(pw, 0, sizeof(*pw));
@@ -131,7 +132,7 @@
char *parse_reason, *newpass, *oldpass, *pwline;
struct passwd pwbuf, *pw;
int lines_to_read = 3, multi = 0;
- int size = 8192;
+ size_t size = 8192;
int rc = 1;
while (argc > 1 && argv[1][0] == '-') {
@@ -173,8 +174,8 @@
return rc;
}
- if (params.qc.max + 1 > size)
- size = params.qc.max + 1;
+ if ((size_t)params.qc.max + 1 > size)
+ size = (size_t)params.qc.max + 1;
next_pass:
oldpass = pwline = NULL; pw = NULL;
@@ -204,7 +205,7 @@
printf("Bad passphrase (%s)\n", check_reason);
cleanup:
- memset(&pwbuf, 0, sizeof(pwbuf));
+ _passwdqc_memzero(&pwbuf, sizeof(pwbuf));
clean(pwline, size);
clean(oldpass, size);
clean(newpass, size);
diff -Nru passwdqc-1.3.0/pwqcheck.php passwdqc-1.4.0/pwqcheck.php
--- passwdqc-1.3.0/pwqcheck.php 2013-04-23 21:57:26.000000000 -0400
+++ passwdqc-1.4.0/pwqcheck.php 2019-12-09 17:39:41.000000000 -0500
@@ -8,12 +8,12 @@
* PHP application's users and passwords" article submitted to "the Month of
* PHP Security" (which was May 2010):
*
- *
http://www.openwall.com/articles/PHP-Users-Passwords#enforcing-password-policy
+ *
https://www.openwall.com/articles/PHP-Users-Passwords#enforcing-password-policy
*
* The pwqcheck() function is a wrapper around the pwqcheck(1) program from
* the passwdqc package:
*
- * http://www.openwall.com/passwdqc/
+ * https://www.openwall.com/passwdqc/
*
* Returns 'OK' if the new password/passphrase passes the requirements.
* Otherwise returns a message explaining one of the reasons why the
diff -Nru passwdqc-1.3.0/pwqgen.1 passwdqc-1.4.0/pwqgen.1
--- passwdqc-1.3.0/pwqgen.1 2013-04-23 10:14:07.000000000 -0400
+++ passwdqc-1.4.0/pwqgen.1 2019-12-09 18:29:53.000000000 -0500
@@ -1,5 +1,7 @@
.\" Copyright (c) 2009 Dmitry V. Levin
.\" All rights reserved.
+.\" Copyright (c) 2019 Solar Designer
+.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted.
@@ -16,9 +18,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $Owl: Owl/packages/passwdqc/passwdqc/pwqgen.1,v 1.11 2013/04/23 14:14:07
solar Exp $
+.\" $Owl: Owl/packages/passwdqc/passwdqc/pwqgen.1,v 1.13 2019/12/09 23:29:53
solar Exp $
.\"
-.Dd March 13, 2010
+.Dd December 9, 2019
.Dt PWQGEN 1
.Os "Openwall Project"
.Sh NAME
@@ -65,14 +67,17 @@
invalid option, invalid parameter value, when it fails to obtain enough
randomness, and in any case when it fails to generate a passphrase.
.Sh FILES
-.Pa /etc/passwdqc.conf .
+.Pa /etc/passwdqc.conf
+(not read unless this suggested file location is specified with the
+.Cm config=/etc/passwdqc.conf
+option).
.Sh SEE ALSO
.Xr pwqcheck 1 ,
.Xr urandom 4 ,
.Xr passwdqc.conf 5 ,
.Xr pam_passwdqc 8 .
.Pp
-http://www.openwall.com/passwdqc/
+https://www.openwall.com/passwdqc/
.Sh AUTHORS
The pam_passwdqc module was written for Openwall GNU/*/Linux by Solar Designer.
The
diff -Nru passwdqc-1.3.0/pwqgen.c passwdqc-1.4.0/pwqgen.c
--- passwdqc-1.3.0/pwqgen.c 2009-10-26 21:45:50.000000000 -0400
+++ passwdqc-1.4.0/pwqgen.c 2016-07-20 16:30:01.000000000 -0400
@@ -1,10 +1,13 @@
/*
- * Copyright (c) 2008,2009 by Dmitry V. Levin. See LICENSE.
+ * Copyright (c) 2008,2009 by Dmitry V. Levin
+ * Copyright (c) 2016 by Solar Designer
+ * See LICENSE
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+
#include "passwdqc.h"
static void
@@ -27,6 +30,7 @@
{
passwdqc_params_t params;
char *reason, *pass;
+ int retval;
if (argc > 1 && argv[1][0] == '-') {
if (!strcmp("-h", argv[1]) || !strcmp("--help", argv[1])) {
@@ -58,5 +62,12 @@
return 1;
}
- return (puts(pass) >= 0 && fflush(stdout) >= 0) ? 0 : 1;
+ setvbuf(stdout, NULL, _IONBF, 0);
+
+ retval = (puts(pass) >= 0 && fflush(stdout) == 0) ? 0 : 1;
+
+ _passwdqc_memzero(pass, strlen(pass));
+ free(pass);
+
+ return retval;
}
diff -Nru passwdqc-1.3.0/README passwdqc-1.4.0/README
--- passwdqc-1.3.0/README 2013-04-23 10:14:07.000000000 -0400
+++ passwdqc-1.4.0/README 2019-12-16 05:34:46.000000000 -0500
@@ -149,7 +149,13 @@
the only difference between "use_first_pass" and "use_authtok" is that
the former is incompatible with "ask_oldauthtok".
+ noaudit []
+
+If audit is enabled at build time, the PAM module logs audit events once
+user tries to change their credentials. This option disables that audit
+logging.
+
--
Solar Designer <solar at openwall.com>
-$Owl: Owl/packages/passwdqc/passwdqc/README,v 1.16 2013/04/23 14:14:07 solar
Exp $
+$Owl: Owl/packages/passwdqc/passwdqc/README,v 1.17 2019/12/16 00:43:25 ldv Exp
$
diff -Nru passwdqc-1.3.0/wordset_4k.c passwdqc-1.4.0/wordset_4k.c
--- passwdqc-1.3.0/wordset_4k.c 2013-04-23 08:22:39.000000000 -0400
+++ passwdqc-1.4.0/wordset_4k.c 2019-12-09 17:39:41.000000000 -0500
@@ -16,7 +16,7 @@
* At least two other sci.crypt postings by Dianelos Georgoudis also state
* that the word list is in the public domain, and so did the web page at:
*
- * http://web.archive.org/web/%2a/http://www.tecapro.com/makepass.html
+ * https://web.archive.org/web/%2a/http://www.tecapro.com/makepass.html
*
* which existed until 2006 and is available from the Wayback Machine as of
* this writing (March 2010). Specifically, the web page said:
@@ -28,7 +28,7 @@
* "To download a copy click here" was a link to free/makepass.lst, which is
* currently available via the Wayback Machine:
*
- * http://web.archive.org/web/%2a/http://www.tecapro.com/free/makepass.lst
+ * https://web.archive.org/web/%2a/http://www.tecapro.com/free/makepass.lst
*
* Even though the original description of the list stated that "each word
* must contain between 3 and 6 characters", there were two 7-character words:
