Blob Blame History Raw
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am
--- Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.709355179 +0200
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/Makefile.am	2022-09-29 10:13:35.780355766 +0200
@@ -10,9 +10,10 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-
 
 TESTS = tst-pam_pwhistory
 
-man_MANS = pam_pwhistory.8 pwhistory_helper.8
+man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5
 
-XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \
+  pwhistory.conf.5.xml
 
 securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
@@ -25,12 +26,14 @@ if HAVE_VERSIONING
   pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
 
-noinst_HEADERS = opasswd.h
+noinst_HEADERS = opasswd.h pwhistory_config.h
+
+dist_secureconf_DATA = pwhistory.conf
 
 securelib_LTLIBRARIES = pam_pwhistory.la
 pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
 pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
-pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
+pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c
 
 sbin_PROGRAMS = pwhistory_helper
 pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file	2017-02-10 11:10:15.000000000 +0100
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.8.xml	2022-09-29 10:13:35.780355766 +0200
@@ -36,6 +36,9 @@
       <arg choice="opt">
         authtok_type=<replaceable>STRING</replaceable>
       </arg>
+      <arg choice="opt">
+	      conf=<replaceable>/path/to/config-file</replaceable>
+      </arg>
 
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -104,7 +107,7 @@
         <listitem>
           <para>
             The last <replaceable>N</replaceable> passwords for each
-            user are saved in <filename>/etc/security/opasswd</filename>.
+            user are saved.
             The default is <emphasis>10</emphasis>. Value of
             <emphasis>0</emphasis> makes the module to keep the existing
             contents of the <filename>opasswd</filename> file unchanged.
@@ -137,7 +140,26 @@
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term>
+            <option>conf=<replaceable>/path/to/config-file</replaceable></option>
+          </term>
+          <listitem>
+            <para>
+              Use another configuration file instead of the default
+              <filename>/etc/security/pwhistory.conf</filename>.
+            </para>
+          </listitem>
+        </varlistentry>
+
     </variablelist>
+    <para>
+      The options for configuring the module behavior are described in the
+      <citerefentry><refentrytitle>pwhistory.conf</refentrytitle>
+      <manvolnum>5</manvolnum></citerefentry> manual page. The options
+      specified on the module command line override the values from the
+      configuration file.
+    </para>
   </refsect1>
 
   <refsect1 id="pam_pwhistory-types">
@@ -223,6 +245,9 @@ password     required       pam_unix.so
     <title>SEE ALSO</title>
     <para>
       <citerefentry>
+	<refentrytitle>pwhistory.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
 	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>,
       <citerefentry>
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.711355195 +0200
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pam_pwhistory.c	2022-09-29 10:13:35.780355766 +0200
@@ -62,18 +62,11 @@
 #include <security/_pam_macros.h>
 
 #include "opasswd.h"
+#include "pwhistory_config.h"
 
 #define DEFAULT_BUFLEN 2048
 #define MAX_FD_NO 20000
 
-struct options_t {
-  int debug;
-  int enforce_for_root;
-  int remember;
-  int tries;
-};
-typedef struct options_t options_t;
-
 
 static void
 parse_option (pam_handle_t *pamh, const char *argv, options_t *options)
@@ -304,6 +297,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
   options.remember = 10;
   options.tries = 1;
 
+  parse_config_file(pamh, argc, argv, &options);
+
   /* Parse parameters for module */
   for ( ; argc-- > 0; argv++)
     parse_option (pamh, *argv, &options);
@@ -311,7 +306,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
   if (options.debug)
     pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered");
 
-
   if (options.remember == 0)
     return PAM_IGNORE;
 
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.780355766 +0200
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.5.xml	2022-09-29 10:13:35.780355766 +0200
@@ -0,0 +1,155 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pwhistory.conf">
+
+  <refmeta>
+    <refentrytitle>pwhistory.conf</refentrytitle>
+    <manvolnum>5</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pwhistory.conf-name">
+    <refname>pwhistory.conf</refname>
+    <refpurpose>pam_pwhistory configuration file</refpurpose>
+  </refnamediv>
+
+  <refsect1 id="pwhistory.conf-description">
+
+    <title>DESCRIPTION</title>
+    <para>
+       <emphasis remap='B'>pwhistory.conf</emphasis> provides a way to configure the
+       default settings for saving the last passwords for each user.
+       This file is read by the <emphasis>pam_pwhistory</emphasis> module and is the
+       preferred method over configuring <emphasis>pam_pwhistory</emphasis> directly.
+    </para>
+    <para>
+       The file has a very simple <emphasis>name = value</emphasis> format with possible comments
+       starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end
+       of line, and around the <emphasis>=</emphasis> sign is ignored.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pwhistory.conf-options">
+
+    <title>OPTIONS</title>
+         <variablelist>
+            <varlistentry>
+              <term>
+                <option>debug</option>
+              </term>
+              <listitem>
+                <para>
+                  Turns on debugging via
+                  <citerefentry>
+                    <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+                  </citerefentry>.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>
+                <option>enforce_for_root</option>
+              </term>
+              <listitem>
+                <para>
+                  If this option is set, the check is enforced for root, too.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>
+                <option>remember=<replaceable>N</replaceable></option>
+              </term>
+              <listitem>
+                <para>
+                  The last <replaceable>N</replaceable> passwords for each
+                  user are saved.
+                  The default is <emphasis>10</emphasis>. Value of
+                  <emphasis>0</emphasis> makes the module to keep the existing
+                  contents of the <filename>opasswd</filename> file unchanged.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>
+                <option>retry=<replaceable>N</replaceable></option>
+              </term>
+              <listitem>
+                <para>
+                  Prompt user at most <replaceable>N</replaceable> times
+                  before returning with error. The default is 1.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>
+                <option>file=<replaceable>/path/filename</replaceable></option>
+              </term>
+              <listitem>
+                <para>
+                  Store password history in file
+                  <replaceable>/path/filename</replaceable> rather than the default
+                  location. The default location is
+	                <filename>/etc/security/opasswd</filename>.
+                </para>
+              </listitem>
+            </varlistentry>
+        </variablelist>
+  </refsect1>
+
+  <refsect1 id='pwhistory.conf-examples'>
+    <title>EXAMPLES</title>
+    <para>
+      /etc/security/pwhistory.conf file example:
+    </para>
+    <programlisting>
+debug
+remember=5
+file=/tmp/opasswd
+    </programlisting>
+  </refsect1>
+
+  <refsect1 id="pwhistory.conf-files">
+    <title>FILES</title>
+    <variablelist>
+      <varlistentry>
+        <term><filename>/etc/security/pwhistory.conf</filename></term>
+        <listitem>
+          <para>the config file for custom options</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pwhistory.conf-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>pwhistory</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pwhistory.conf-author'>
+    <title>AUTHOR</title>
+      <para>
+        pam_pwhistory was written by Thorsten Kukuk. The support for
+        pwhistory.conf was written by Iker Pedrosa.
+      </para>
+  </refsect1>
+
+</refentry>
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.781355775 +0200
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.c	2022-09-29 10:14:33.377832622 +0200
@@ -0,0 +1,195 @@
+/*
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, and the entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior
+ *    written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <ctype.h>
+
+#include <security/pam_modutil.h>
+
+#include "pam_inline.h"
+#include "pwhistory_config.h"
+
+#define PWHISTORY_DEFAULT_CONF "/etc/security/pwhistory.conf"
+
+/* lookup a value for key in login.defs file or similar key value format */
+static char *
+pwhistory_search_key(pam_handle_t *pamh UNUSED,
+		       const char *file_name,
+		       const char *key)
+{
+	FILE *fp;
+	char *buf = NULL;
+	size_t buflen = 0;
+	char *retval = NULL;
+
+#ifdef USE_ECONF
+	if (strcmp (file_name, LOGIN_DEFS) == 0)
+		return econf_search_key ("login", ".defs", key);
+#endif
+
+	fp = fopen(file_name, "r");
+	if (NULL == fp)
+		return NULL;
+
+	while (!feof(fp)) {
+		char *tmp, *cp;
+#if defined(HAVE_GETLINE)
+		ssize_t n = getline(&buf, &buflen, fp);
+#elif defined (HAVE_GETDELIM)
+		ssize_t n = getdelim(&buf, &buflen, '\n', fp);
+#else
+		ssize_t n;
+
+		if (buf == NULL) {
+			buflen = BUF_SIZE;
+			buf = malloc(buflen);
+			if (buf == NULL) {
+				fclose(fp);
+				return NULL;
+			}
+		}
+		buf[0] = '\0';
+		if (fgets(buf, buflen - 1, fp) == NULL)
+			break;
+		else if (buf != NULL)
+			n = strlen(buf);
+		else
+			n = 0;
+#endif /* HAVE_GETLINE / HAVE_GETDELIM */
+		cp = buf;
+
+		if (n < 1)
+			break;
+		if (cp[n - 1] == '\n')
+			cp[n - 1] = '\0';
+
+		tmp = strchr(cp, '#');  /* remove comments */
+		if (tmp)
+			*tmp = '\0';
+		while (isspace((int)*cp))    /* remove spaces and tabs */
+			++cp;
+		if (*cp == '\0')        /* ignore empty lines */
+			continue;
+
+		tmp = strsep (&cp, " \t=");
+		if (cp != NULL)
+			while (isspace((int)*cp) || *cp == '=')
+				++cp;
+		else
+			cp = buf + n;   /* empty string */
+
+		if (strcasecmp(tmp, key) == 0) {
+			retval = strdup(cp);
+			break;
+		}
+	}
+	fclose(fp);
+
+	free(buf);
+
+	return retval;
+}
+
+void
+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
+                  struct options_t *options)
+{
+    const char *fname = NULL;
+    int i;
+    char *val;
+
+    for (i = 0; i < argc; ++i) {
+        const char *str = pam_str_skip_prefix(argv[i], "conf=");
+
+        if (str != NULL) {
+            fname = str;
+        }
+    }
+
+    if (fname == NULL) {
+        fname = PWHISTORY_DEFAULT_CONF;
+    }
+
+    val = pwhistory_search_key (pamh, fname, "debug");
+    if (val != NULL) {
+        options->debug = 1;
+        free(val);
+    }
+
+    val = pwhistory_search_key (pamh, fname, "enforce_for_root");
+    if (val != NULL) {
+        options->enforce_for_root = 1;
+        free(val);
+    }
+
+    val = pwhistory_search_key (pamh, fname, "remember");
+    if (val != NULL) {
+        unsigned int temp;
+        if (sscanf(val, "%u", &temp) != 1) {
+            pam_syslog(pamh, LOG_ERR,
+                "Bad number supplied for remember argument");
+        } else {
+            options->remember = temp;
+        }
+        free(val);
+    }
+
+    val = pwhistory_search_key (pamh, fname, "retry");
+    if (val != NULL) {
+        unsigned int temp;
+        if (sscanf(val, "%u", &temp) != 1) {
+            pam_syslog(pamh, LOG_ERR,
+                "Bad number supplied for retry argument");
+        } else {
+            options->tries = temp;
+        }
+        free(val);
+    }
+
+    val = pwhistory_search_key (pamh, fname, "file");
+    if (val != NULL) {
+        if (*val != '/') {
+            pam_syslog (pamh, LOG_ERR,
+                "File path should be absolute: %s", val);
+        } else {
+            options->filename = val;
+        }
+    }
+}
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.781355775 +0200
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory_config.h	2022-09-29 10:13:35.781355775 +0200
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2022 Iker Pedrosa <ipedrosa@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, and the entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior
+ *    written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _PWHISTORY_CONFIG_H
+#define _PWHISTORY_CONFIG_H
+
+#include <security/pam_ext.h>
+
+struct options_t {
+    int debug;
+    int enforce_for_root;
+    int remember;
+    int tries;
+    const char *filename;
+};
+typedef struct options_t options_t;
+
+void
+parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
+                  struct options_t *options);
+
+#endif /* _PWHISTORY_CONFIG_H */
diff -up Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf
--- Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file	2022-09-29 10:13:35.781355775 +0200
+++ Linux-PAM-1.3.1/modules/pam_pwhistory/pwhistory.conf	2022-09-29 10:13:35.781355775 +0200
@@ -0,0 +1,21 @@
+# Configuration for remembering the last passwords used by a user.
+#
+# Enable the debugging logs.
+# Enabled if option is present.
+# debug
+#
+# root account's passwords are also remembered.
+# Enabled if option is present.
+# enforce_for_root
+#
+# Number of passwords to remember.
+# The default is 10.
+# remember = 10
+#
+# Number of times to prompt for the password.
+# The default is 1.
+# retry = 1
+#
+# The directory where the last passwords are kept.
+# The default is /etc/security/opasswd.
+# file = /etc/security/opasswd