Author: jsuchome Date: Tue Jun 2 22:40:08 2009 New Revision: 57402 URL: http://svn.opensuse.org/viewcvs/yast?rev=57402&view=rev Log: - pam_pwcheck calls replaced with pam_cracklib/pam_pwhistory, removed obsolete "obscure checks" settings (fate#305468) - 2.18.0 Modified: trunk/security/VERSION trunk/security/package/yast2-security.changes trunk/security/src/Security.ycp trunk/security/src/dialogs.ycp trunk/security/src/helps.ycp trunk/security/src/levels.ycp trunk/security/src/routines.ycp trunk/security/src/security.ycp trunk/security/src/widgets.ycp trunk/security/testsuite/tests/Level1.out trunk/security/testsuite/tests/Level2.out trunk/security/testsuite/tests/Level3.out trunk/security/testsuite/tests/Read.out trunk/security/testsuite/tests/Read.ycp trunk/security/testsuite/tests/Write.out trunk/security/testsuite/tests/Write.ycp Modified: trunk/security/VERSION URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/VERSION?rev=57402&r1... ============================================================================== --- trunk/security/VERSION (original) +++ trunk/security/VERSION Tue Jun 2 22:40:08 2009 @@ -1 +1 @@ -2.17.12 +2.18.0 Modified: trunk/security/package/yast2-security.changes URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/package/yast2-security.c... ============================================================================== --- trunk/security/package/yast2-security.changes (original) +++ trunk/security/package/yast2-security.changes Tue Jun 2 22:40:08 2009 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Tue Jun 2 22:26:15 CEST 2009 - jsuchome@suse.cz + +- pam_pwcheck calls replaced with pam_cracklib/pam_pwhistory, + removed obsolete "obscure checks" settings (fate#305468) +- 2.18.0 + +------------------------------------------------------------------- Mon Feb 9 11:58:17 CET 2009 - lslezak@suse.cz - added "SuSEfirewall" and "earlysyslog" service to ignore list Modified: trunk/security/src/Security.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/src/Security.ycp?rev=574... ============================================================================== --- trunk/security/src/Security.ycp (original) +++ trunk/security/src/Security.ycp Tue Jun 2 22:40:08 2009 @@ -121,7 +121,6 @@ "GID_MIN" : "1000", "DISPLAYMANAGER_SHUTDOWN" : "all", "LASTLOG_ENAB" : "yes", - "OBSCURE_CHECKS_ENAB" : "yes", "PASSWD_ENCRYPTION" : "blowfish", "GROUP_ENCRYPTION" : "md5", "PASSWD_USE_CRACKLIB" : "yes", @@ -377,11 +376,7 @@ /* Read pam settings */ - /* pam stuff */ - map pwcheck = Pam::Query ("pwcheck"); - list<string> pam_check_settings = pwcheck["password"]:[]; - - /* read the password hash settings */ + // read the password hash settings string method = PamSettings::GetDefaultValue ("CRYPT_FILES"); if (method == nil || method == "" || !contains (["des","md5","blowfish"],method)) @@ -393,23 +388,26 @@ Settings["PASSWD_ENCRYPTION"] = method; Settings["GROUP_ENCRYPTION"] = PamSettings::GetGroupHashMethod (); - /* obscure checks */ - boolean obscure = !contains (pam_check_settings, "no_obscure_checks"); - Settings["OBSCURE_CHECKS_ENAB"] = obscure? "yes":"no"; - - /* other pam_pwcheck settings */ + // cracklib and pwhistory settings Settings ["PASS_MIN_LEN"] = "5"; Settings ["PASSWD_USE_CRACKLIB"] = "no"; Settings ["PASSWD_REMEMBER_HISTORY"] = "0"; - foreach (string val, pam_check_settings, { + + map pam_cracklib = Pam::Query ("cracklib"); + if (size (pam_cracklib) > 0) + Settings ["PASSWD_USE_CRACKLIB"] = "yes"; + foreach (string val, pam_cracklib["password"]:[], { list lval = splitstring (val, "="); - if (issubstring (val, "minlen") && lval[1]:"" != "") - Settings ["PASS_MIN_LEN"] = lval[1]:"5"; - /* use cracklib? */ - if (issubstring (val, "cracklib")) { + if (issubstring (val, "dictpath=")) { Settings ["CRACKLIB_DICT_PATH"] = lval[1]:"/usr/lib/cracklib_dict"; - Settings ["PASSWD_USE_CRACKLIB"] = "yes"; } + if (issubstring (val, "minlen=") && lval[1]:"" != "") + Settings ["PASS_MIN_LEN"] = lval[1]:"5"; + }); + + map pam_history = Pam::Query ("pwhistory"); + foreach (string val, pam_history["password"]:[], { + list lval = splitstring (val, "="); if (issubstring (val, "remember=") && lval[1]:"" != "") Settings ["PASSWD_REMEMBER_HISTORY"] = lval[1]:"0"; }); @@ -532,33 +530,32 @@ // use cracklib? if(Settings["PASSWD_USE_CRACKLIB"]:"no" == "yes") { - string crack = "pwcheck-cracklib"; + Pam::Add ("cracklib"); string pth = Settings["CRACKLIB_DICT_PATH"]:"/usr/lib/cracklib_dict"; if (pth != "/usr/lib/cracklib_dict") - crack = "pwcheck-cracklib-path=" + pth; - Pam::Add (crack); + Pam::Add ("--cracklib-dictpath=" + pth); } else - Pam::Remove ("pwcheck-cracklib"); - - // save obscure checks - Pam::Set ("pwcheck-no_obscure_checks", - Settings["OBSCURE_CHECKS_ENAB"]:"yes" != "yes"); + Pam::Remove ("cracklib"); // save min pass length if (Settings["PASS_MIN_LEN"]:"5" != "5") - Pam::Add (sformat ("pwcheck-minlen=%1", Settings["PASS_MIN_LEN"]:"5")); + { + Pam::Add ("cracklib"); // minlen is part of cracklib + Pam::Add (sformat ("cracklib-minlen=%1", Settings["PASS_MIN_LEN"]:"5")); + } else - Pam::Remove ("pwcheck-minlen"); + Pam::Remove ("cracklib-minlen"); // save "remember" value (number of old user passwords to not allow) if (Settings["PASSWD_REMEMBER_HISTORY"]:"0" != "0") { - Pam::Add (sformat ("pwcheck-remember=%1", + Pam::Add ("pwhistory"); + Pam::Add (sformat ("pwhistory-remember=%1", Settings["PASSWD_REMEMBER_HISTORY"]:"0")); } else - Pam::Remove ("pwcheck-remember"); + Pam::Remove ("pwhistory-remember"); PamSettings::Write (false); Modified: trunk/security/src/dialogs.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/src/dialogs.ycp?rev=5740... ============================================================================== --- trunk/security/src/dialogs.ycp (original) +++ trunk/security/src/dialogs.ycp Tue Jun 2 22:40:08 2009 @@ -675,16 +675,14 @@ XFrame(0.3,0.15,_("Checks"),`VBox( settings2widget("PASSWD_USE_CRACKLIB"), VSeparator(), - settings2widget("OBSCURE_CHECKS_ENAB"), + settings2widget("PASS_MIN_LEN"), VSeparator(), settings2widget("PASSWD_REMEMBER_HISTORY"), - VSeparator() + VSeparator () )), `VSpacing(0.4), settings2widget("PASSWD_ENCRYPTION"), `VSpacing(0.4), - settings2widget("PASS_MIN_LEN"), - `VSpacing(0.4), /* Frame label */ `Frame(_("Password Age"),`HBox( `HSpacing(0.4), @@ -708,6 +706,9 @@ // select the dialog in the tree navigation Wizard::SelectTreeItem("password"); + UI::ChangeWidget (`id ("PASS_MIN_LEN"), `Enabled, + Security::Settings["PASSWD_USE_CRACKLIB"]:"" == "yes"); + any ret = nil; while(true) { ret = UI::UserInput(); @@ -720,6 +721,12 @@ else if(ret == `back) { break; } + else if (ret == "PASSWD_USE_CRACKLIB") + { + // minlen is an option for pam_cracklib + UI::ChangeWidget (`id ("PASS_MIN_LEN"), `Enabled, + UI::QueryWidget (`id (ret), `Value) == true); + } else if(ret == `next || contains(tree_dialogs, ret)) { // the current item has been selected, do not change to the same dialog if (ret == "password") @@ -751,6 +758,10 @@ Security::PasswordMaxLengths[enc]:8)); continue; } + if (min != 5) + { + UI::ChangeWidget (`id ("PASSWD_USE_CRACKLIB"), `Value, true); + } break; } else if (ret != "PASSWD_ENCRYPTION") { @@ -764,7 +775,6 @@ widget2settings("PASS_MAX_DAYS"); widget2settings("PASS_MIN_LEN"); widget2settings("PASSWD_USE_CRACKLIB"); - widget2settings("OBSCURE_CHECKS_ENAB"); widget2settings("PASS_WARN_AGE"); widget2settings("PASSWD_ENCRYPTION"); widget2settings("PASSWD_REMEMBER_HISTORY"); Modified: trunk/security/src/helps.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/src/helps.ycp?rev=57402&... ============================================================================== --- trunk/security/src/helps.ycp (original) +++ trunk/security/src/helps.ycp Tue Jun 2 22:40:08 2009 @@ -110,11 +110,11 @@ cannot be found in a dictionary and is not a name or other simple, common word. By checking the box, enforce password checking in regard to these rules.</p>") + - /* Password dialog help 3/8 */ - _("<p><b>Test for Complicated Passwords</b>: -Passwords should be constructed using a mixture of characters. This makes the -guessing of passwords very difficult. Check this box to enable additional -checks.</p>") + + /* Password dialog help */ + _("<p><b>Minimum Acceptable Password Length:</b> +The minimum number of characters in an acceptable password. Attempts to +assign passwords with fewer characters are rejected. A zero value +suppresses this check. This option can only be modified when <b>Check New Passwords</b> is set.</p>") + // Password dialog help 4/8 _("<p><b>Passwords to Remember</b>: @@ -139,12 +139,6 @@ which makes it difficult to crack passwords with the help of a dictionary.</p>") + - /* Password dialog help 6/8 */ - _("<p><b>Minimum Acceptable Password Length:</b> -The minimum number of characters in an acceptable password. Attempts to -assign passwords with fewer characters are rejected. A zero value -suppresses this check.</p>") + - /* Password dialog help 7/8 */ _("<p><b>Password Age:</b> Set the minimum and maximum number of days a password may be used.</p>") + Modified: trunk/security/src/levels.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/src/levels.ycp?rev=57402... ============================================================================== --- trunk/security/src/levels.ycp (original) +++ trunk/security/src/levels.ycp Tue Jun 2 22:40:08 2009 @@ -66,7 +66,6 @@ "GID_MIN" : "1000", "DISPLAYMANAGER_SHUTDOWN" : "all", "LASTLOG_ENAB" : "yes", - "OBSCURE_CHECKS_ENAB" : "yes", "PASSWD_ENCRYPTION" : "blowfish", "PASSWD_USE_CRACKLIB" : "yes", "PASS_MAX_DAYS" : "99999", @@ -109,7 +108,6 @@ "GID_MIN" : "1000", "DISPLAYMANAGER_SHUTDOWN" : "root", "LASTLOG_ENAB" : "yes", - "OBSCURE_CHECKS_ENAB" : "yes", "PASSWD_ENCRYPTION" : "blowfish", "PASSWD_USE_CRACKLIB" : "yes", "PASS_MAX_DAYS" : "99999", @@ -152,7 +150,6 @@ "GID_MIN" : "1000", "DISPLAYMANAGER_SHUTDOWN" : "root", "LASTLOG_ENAB" : "yes", - "OBSCURE_CHECKS_ENAB" : "yes", "PASSWD_ENCRYPTION" : "blowfish", "PASSWD_USE_CRACKLIB" : "yes", "PASS_MAX_DAYS" : "99999", Modified: trunk/security/src/routines.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/src/routines.ycp?rev=574... ============================================================================== --- trunk/security/src/routines.ycp (original) +++ trunk/security/src/routines.ycp Tue Jun 2 22:40:08 2009 @@ -60,8 +60,11 @@ boolean enabled = false; if(value == "yes") enabled = true; + term chbox = `CheckBox(`id(ID), label, enabled); + if (m["Notify"]:"no" == "yes") + chbox = `CheckBox(`id(ID), `opt (`notify), label, enabled); return `VBox( - `Left(`CheckBox(`id(ID), label, enabled)), + `Left(chbox), VSeparator() ); } Modified: trunk/security/src/security.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/src/security.ycp?rev=574... ============================================================================== --- trunk/security/src/security.ycp (original) +++ trunk/security/src/security.ycp Tue Jun 2 22:40:08 2009 @@ -84,12 +84,6 @@ Security::Settings["PASSWD_ENCRYPTION"] = options["passwd"]:"des"; Security::modified = true; } - if (haskey (options, "obscure") && - options["obscure"]:"" != Security::Settings["OBSCURE_CHECKS_ENAB"]:"") - { - Security::Settings["OBSCURE_CHECKS_ENAB"] = options["obscure"]:"yes"; - Security::modified = true; - } if (haskey (options, "crack") && options["crack"]:"" != Security::Settings["PASSWD_USE_CRACKLIB"]:"") { @@ -167,12 +161,6 @@ "type" : "enum", "typespec" : [ "des", "md5", "blowfish" ], ], - "obscure" : $[ - // command line help text for 'set obscure' option - "help" : _("Test for complicated password"), - "type" : "enum", - "typespec" : [ "yes", "no" ], - ], "crack" : $[ // command line help text for 'set crack' option "help" : _("Check new passwords"), @@ -194,7 +182,7 @@ "mappings" : $[ "summary" : [], "level" : [ "home", "network", "server" ],//FIXME 1,2,3 aliases - "set" : [ "passwd", "obscure", "crack", "permissions", "remember" ], + "set" : [ "passwd", "crack", "permissions", "remember" ], ] ]; Modified: trunk/security/src/widgets.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/src/widgets.ycp?rev=5740... ============================================================================== --- trunk/security/src/widgets.ycp (original) +++ trunk/security/src/widgets.ycp Tue Jun 2 22:40:08 2009 @@ -161,13 +161,6 @@ "Value" : "yes" ], - "OBSCURE_CHECKS_ENAB" : $[ - "Widget" : "CheckBox", - /* CheckBox label */ - "Label" : _("&Test for Complicated Passwords"), - "Value" : "yes" - ], - "PASSWD_ENCRYPTION" : $[ "Widget" : "ComboBox", /* ComboBox label */ @@ -182,6 +175,7 @@ "Widget" : "CheckBox", /* CheckBox label */ "Label" : _("&Check New Passwords"), + "Notify" : "yes", "Value" : "yes" ], Modified: trunk/security/testsuite/tests/Level1.out URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Level1.o... ============================================================================== --- trunk/security/testsuite/tests/Level1.out (original) +++ trunk/security/testsuite/tests/Level1.out Tue Jun 2 22:40:08 2009 @@ -79,10 +79,9 @@ Execute .target.bash "/sbin/telinit q" 0 Read .etc.default.passwd."CRYPT_FILES" nil Write .etc.default.passwd."CRYPT_FILES" "blowfish" true -Execute .target.bash_output "pam-config -a --pwcheck-cracklib" $[] -Execute .target.bash_output "pam-config -d --pwcheck-no_obscure_checks" $[] -Execute .target.bash_output "pam-config -d --pwcheck-minlen" $[] -Execute .target.bash_output "pam-config -d --pwcheck-remember" $[] +Execute .target.bash_output "pam-config -a --cracklib" $[] +Execute .target.bash_output "pam-config -d --cracklib-minlen" $[] +Execute .target.bash_output "pam-config -d --pwhistory-remember" $[] Write .etc.default.passwd nil true Execute .target.bash "echo 1 > /proc/sys/kernel/sysrq" 0 Read .sysconfig.displaymanager.DISPLAYMANAGER "" Modified: trunk/security/testsuite/tests/Level2.out URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Level2.o... ============================================================================== --- trunk/security/testsuite/tests/Level2.out (original) +++ trunk/security/testsuite/tests/Level2.out Tue Jun 2 22:40:08 2009 @@ -79,10 +79,9 @@ Execute .target.bash "/sbin/telinit q" 0 Read .etc.default.passwd."CRYPT_FILES" nil Write .etc.default.passwd."CRYPT_FILES" "blowfish" true -Execute .target.bash_output "pam-config -a --pwcheck-cracklib" $[] -Execute .target.bash_output "pam-config -d --pwcheck-no_obscure_checks" $[] -Execute .target.bash_output "pam-config -d --pwcheck-minlen" $[] -Execute .target.bash_output "pam-config -d --pwcheck-remember" $[] +Execute .target.bash_output "pam-config -a --cracklib" $[] +Execute .target.bash_output "pam-config -d --cracklib-minlen" $[] +Execute .target.bash_output "pam-config -d --pwhistory-remember" $[] Write .etc.default.passwd nil true Execute .target.bash "echo 0 > /proc/sys/kernel/sysrq" 0 Read .sysconfig.displaymanager.DISPLAYMANAGER "" Modified: trunk/security/testsuite/tests/Level3.out URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Level3.o... ============================================================================== --- trunk/security/testsuite/tests/Level3.out (original) +++ trunk/security/testsuite/tests/Level3.out Tue Jun 2 22:40:08 2009 @@ -79,10 +79,10 @@ Execute .target.bash "/sbin/telinit q" 0 Read .etc.default.passwd."CRYPT_FILES" nil Write .etc.default.passwd."CRYPT_FILES" "blowfish" true -Execute .target.bash_output "pam-config -a --pwcheck-cracklib" $[] -Execute .target.bash_output "pam-config -d --pwcheck-no_obscure_checks" $[] -Execute .target.bash_output "pam-config -a --pwcheck-minlen=6" $[] -Execute .target.bash_output "pam-config -d --pwcheck-remember" $[] +Execute .target.bash_output "pam-config -a --cracklib" $[] +Execute .target.bash_output "pam-config -a --cracklib" $[] +Execute .target.bash_output "pam-config -a --cracklib-minlen=6" $[] +Execute .target.bash_output "pam-config -d --pwhistory-remember" $[] Write .etc.default.passwd nil true Execute .target.bash "echo 0 > /proc/sys/kernel/sysrq" 0 Read .sysconfig.displaymanager.DISPLAYMANAGER "" Modified: trunk/security/testsuite/tests/Read.out URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Read.out... ============================================================================== --- trunk/security/testsuite/tests/Read.out (original) +++ trunk/security/testsuite/tests/Read.out Tue Jun 2 22:40:08 2009 @@ -50,8 +50,9 @@ Read .sysconfig.sysctl.IPV6_FORWARD "r11" Dir .etc.inittab: ["ca"] Read .etc.inittab.ca ":ctrlaltdel:/sbin/shutdown -r -t 4 now" -Execute .target.bash_output "pam-config -q --pwcheck" $[] Read .etc.default.passwd."CRYPT_FILES" "blowfish" Read .etc.default.passwd.group_crypt nil Read .etc.default.passwd.crypt "md5" +Execute .target.bash_output "pam-config -q --cracklib" $[] +Execute .target.bash_output "pam-config -q --pwhistory" $[] Return true Modified: trunk/security/testsuite/tests/Read.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Read.ycp... ============================================================================== --- trunk/security/testsuite/tests/Read.ycp (original) +++ trunk/security/testsuite/tests/Read.ycp Tue Jun 2 22:40:08 2009 @@ -59,7 +59,6 @@ "GID_MAX" : "l3", "GID_MIN" : "l4", "LASTLOG_ENAB" : "l5", - "OBSCURE_CHECKS_ENAB" : "l6", "PASS_MAX_DAYS" : "l7", "PASS_MIN_DAYS" : "l9", "PASS_MIN_LEN" : "l10", Modified: trunk/security/testsuite/tests/Write.out URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Write.ou... ============================================================================== --- trunk/security/testsuite/tests/Write.out (original) +++ trunk/security/testsuite/tests/Write.out Tue Jun 2 22:40:08 2009 @@ -79,10 +79,10 @@ Execute .target.bash "/sbin/telinit q" 0 Read .etc.default.passwd."CRYPT_FILES" nil Write .etc.default.passwd."CRYPT_FILES" "blowfish" true -Execute .target.bash_output "pam-config -d --pwcheck-cracklib" $[] -Execute .target.bash_output "pam-config -a --pwcheck-no_obscure_checks" $[] -Execute .target.bash_output "pam-config -a --pwcheck-minlen=l10" $[] -Execute .target.bash_output "pam-config -d --pwcheck-remember" $[] +Execute .target.bash_output "pam-config -d --cracklib" $[] +Execute .target.bash_output "pam-config -a --cracklib" $[] +Execute .target.bash_output "pam-config -a --cracklib-minlen=l10" $[] +Execute .target.bash_output "pam-config -d --pwhistory-remember" $[] Write .etc.default.passwd nil true Execute .target.bash "echo 1 > /proc/sys/kernel/sysrq" 0 Read .sysconfig.displaymanager.DISPLAYMANAGER "" Modified: trunk/security/testsuite/tests/Write.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/security/testsuite/tests/Write.yc... ============================================================================== --- trunk/security/testsuite/tests/Write.ycp (original) +++ trunk/security/testsuite/tests/Write.ycp Tue Jun 2 22:40:08 2009 @@ -30,7 +30,6 @@ "GID_MIN" : "l4", "DISPLAYMANAGER_SHUTDOWN" : "r3", "LASTLOG_ENAB" : "l5", - "OBSCURE_CHECKS_ENAB" : "l6", "PASS_MAX_DAYS" : "l7", "PASS_MIN_DAYS" : "l9", "PASS_MIN_LEN" : "l10", -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org