summaryrefslogtreecommitdiff
path: root/debian/patches/007_modules_pam_unix
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/007_modules_pam_unix')
-rw-r--r--debian/patches/007_modules_pam_unix570
1 files changed, 294 insertions, 276 deletions
diff --git a/debian/patches/007_modules_pam_unix b/debian/patches/007_modules_pam_unix
index 218379c0..0158a4db 100644
--- a/debian/patches/007_modules_pam_unix
+++ b/debian/patches/007_modules_pam_unix
@@ -1,224 +1,84 @@
-Index: pam/modules/pam_unix/pam_unix_passwd.c
+From: Sam Hartman <hartmans@debian.org>
+Date: Mon, 11 Sep 2023 14:00:42 -0600
+Subject: _modules_pam_unix
+
===================================================================
---- pam.orig/modules/pam_unix/pam_unix_passwd.c
-+++ pam/modules/pam_unix/pam_unix_passwd.c
-@@ -95,6 +95,9 @@
- # endif /* GNU libc 2.1 */
- #endif
-
-+extern const char *obscure_msg(const char *, const char *, const struct passwd *,
-+ unsigned int);
-+
- /*
- How it works:
- Gets in username (has to be done) from the calling program
-@@ -593,6 +596,11 @@
- return retval;
- }
- }
-+ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */
-+ struct passwd *pwd;
-+ pwd = pam_modutil_getpwnam(pamh, user);
-+ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */
-+ }
- }
- if (remark) {
- _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
-@@ -608,7 +616,7 @@
- int retval;
- int remember = -1;
- int rounds = 0;
-- int pass_min_len = 0;
-+ int pass_min_len = 6;
+---
+ modules/pam_unix/Makefile.am | 2 +-
+ modules/pam_unix/README | 36 ++++++-
+ modules/pam_unix/obscure.c | 198 +++++++++++++++++++++++++++++++++++++
+ modules/pam_unix/pam_unix.8 | 33 ++++++-
+ modules/pam_unix/pam_unix.8.xml | 77 ++++++++++++++-
+ modules/pam_unix/pam_unix_passwd.c | 10 +-
+ modules/pam_unix/support.h | 78 ++++++++-------
+ 7 files changed, 389 insertions(+), 45 deletions(-)
+ create mode 100644 modules/pam_unix/obscure.c
+
+diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
+index a1dfe44..ddba63c 100644
+--- a/modules/pam_unix/Makefile.am
++++ b/modules/pam_unix/Makefile.am
+@@ -43,7 +43,7 @@ noinst_PROGRAMS = bigcrypt
- /* <DO NOT free() THESE> */
- const char *user;
-Index: pam/modules/pam_unix/support.h
-===================================================================
---- pam.orig/modules/pam_unix/support.h
-+++ pam/modules/pam_unix/support.h
-@@ -101,50 +101,52 @@
- #define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */
- #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
- #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */
-+#define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */
- /* -------------- */
--#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */
-+#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */
+ pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \
+ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
+- passverify.c md5_good.c md5_broken.c
++ passverify.c md5_good.c md5_broken.c obscure.c
+ if HAVE_NIS
+ pam_unix_la_SOURCES += yppasswd_xdr.c
+ endif
+diff --git a/modules/pam_unix/README b/modules/pam_unix/README
+index 67a2d21..be11095 100644
+--- a/modules/pam_unix/README
++++ b/modules/pam_unix/README
+@@ -171,8 +171,40 @@ broken_shadow
- #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
+ minlen=n
- static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- {
--/* symbol token name ctrl mask ctrl *
-- * --------------------------- -------------------- ------------------------- ---------------- */
-+/* symbol token name ctrl mask ctrl *
-+ * --------------------------- -------------------- ------------------------- ------------ */
+- Set a minimum password length of n characters. The max. for DES crypt based
+- passwords are 8 characters.
++ Set a minimum password length of n characters. The default value is 6. The
++ maximum for DES crypt-based passwords is 8 characters.
++
++obscure
++
++ Enable some extra checks on password strength. These checks are based on
++ the "obscure" checks in the original shadow package. The behavior is
++ similar to the pam_cracklib module, but for non-dictionary-based checks.
++ The following checks are implemented:
++
++ Palindrome
++
++ Verifies that the new password is not a palindrome of (i.e., the
++ reverse of) the previous one.
++
++ Case Change Only
++
++ Verifies that the new password isn't the same as the old one with a
++ change of case.
++
++ Similar
++
++ Verifies that the new password isn't too much like the previous one.
++
++ Simple
++
++ Is the new password too simple? This is based on the length of the
++ password and the number of different types of characters (alpha,
++ numeric, etc.) used.
++
++ Rotated
++
++ Is the new password a rotated version of the old password? (E.g.,
++ "billy" and "illyb")
--/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
--/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
--/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
--/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
--/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0},
--/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0},
--/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
--/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0},
--/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0},
--/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
--/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
--/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
--/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
--/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1},
--/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0},
--/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
--/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
--/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
--/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1},
--/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
--/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
--/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
--/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
--/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1},
--/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1},
--/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
--/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1},
--/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
--/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
--/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
--/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1},
--/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1},
--/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1},
--/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 020000000000, 0},
-+/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0},
-+/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0},
-+/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0},
-+/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0},
-+/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30ULL), 0x10, 0},
-+/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30ULL), 0x20, 0},
-+/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0},
-+/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180ULL), 0x80, 0},
-+/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180ULL), 0x100, 0},
-+/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0},
-+/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0},
-+/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0},
-+/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0},
-+/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x6EC22000ULL), 0x2000, 1},
-+/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200ULL), 0, 0},
-+/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0},
-+/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0},
-+/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0},
-+/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000, 1},
-+/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0},
-+/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0},
-+/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0},
-+/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0},
-+/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x6EC22000ULL), 0x400000, 1},
-+/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x6EC22000ULL), 0x800000, 1},
-+/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0},
-+/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x6EC22000ULL), 0x2000000, 1},
-+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0},
-+/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0},
-+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0},
-+/* UNIX_DES */ {"des", _ALL_ON_^(0x6EC22000ULL), 0, 1},
-+/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000000, 1},
-+/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1},
-+/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0},
-+/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0},
- };
+ no_pass_expiry
- #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
-Index: pam/modules/pam_unix/pam_unix.8.xml
-===================================================================
---- pam.orig/modules/pam_unix/pam_unix.8.xml
-+++ pam/modules/pam_unix/pam_unix.8.xml
-@@ -400,8 +400,81 @@
- <listitem>
- <para>
- Set a minimum password length of <replaceable>n</replaceable>
-- characters. The max. for DES crypt based passwords are 8
-- characters.
-+ characters. The default value is 6. The maximum for DES
-+ crypt-based passwords is 8 characters.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>obscure</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Enable some extra checks on password strength. These checks
-+ are based on the "obscure" checks in the original shadow
-+ package. The behavior is similar to the pam_cracklib
-+ module, but for non-dictionary-based checks. The following
-+ checks are implemented:
-+ <variablelist>
-+ <varlistentry>
-+ <term>
-+ <option>Palindrome</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Verifies that the new password is not a palindrome
-+ of (i.e., the reverse of) the previous one.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>Case Change Only</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Verifies that the new password isn't the same as the
-+ old one with a change of case.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>Similar</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Verifies that the new password isn't too much like
-+ the previous one.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>Simple</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Is the new password too simple? This is based on
-+ the length of the password and the number of
-+ different types of characters (alpha, numeric, etc.)
-+ used.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>Rotated</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Is the new password a rotated version of the old
-+ password? (E.g., "billy" and "illyb")
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ </variablelist>
- </para>
- </listitem>
- </varlistentry>
-Index: pam/modules/pam_unix/obscure.c
-===================================================================
+diff --git a/modules/pam_unix/obscure.c b/modules/pam_unix/obscure.c
+new file mode 100644
+index 0000000..2ffac92
--- /dev/null
-+++ pam/modules/pam_unix/obscure.c
++++ b/modules/pam_unix/obscure.c
@@ -0,0 +1,198 @@
+/*
+ * Copyright 1989 - 1994, Julianne Frances Haugh
@@ -418,24 +278,11 @@ Index: pam/modules/pam_unix/obscure.c
+
+ return msg;
+}
-Index: pam/modules/pam_unix/Makefile.am
-===================================================================
---- pam.orig/modules/pam_unix/Makefile.am
-+++ pam/modules/pam_unix/Makefile.am
-@@ -39,7 +39,7 @@
-
- pam_unix_la_SOURCES = bigcrypt.c pam_unix_acct.c \
- pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
-- passverify.c yppasswd_xdr.c md5_good.c md5_broken.c
-+ passverify.c yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
-
- bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
- bigcrypt_CFLAGS = $(AM_CFLAGS)
-Index: pam/modules/pam_unix/pam_unix.8
-===================================================================
---- pam.orig/modules/pam_unix/pam_unix.8
-+++ pam/modules/pam_unix/pam_unix.8
-@@ -216,7 +216,38 @@
+diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
+index 438717f..6f5f19b 100644
+--- a/modules/pam_unix/pam_unix.8
++++ b/modules/pam_unix/pam_unix.8
+@@ -216,7 +216,38 @@ minlen=n
.RS 4
Set a minimum password length of
\fIn\fR
@@ -474,51 +321,222 @@ Index: pam/modules/pam_unix/pam_unix.8
+.sp
.RE
.PP
- \fBno_pass_expiry\fR
-Index: pam/modules/pam_unix/README
-===================================================================
---- pam.orig/modules/pam_unix/README
-+++ pam/modules/pam_unix/README
-@@ -171,8 +171,40 @@
-
- minlen=n
+ no_pass_expiry
+diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
+index dfc0427..4e63a49 100644
+--- a/modules/pam_unix/pam_unix.8.xml
++++ b/modules/pam_unix/pam_unix.8.xml
+@@ -397,8 +397,81 @@
+ <listitem>
+ <para>
+ Set a minimum password length of <replaceable>n</replaceable>
+- characters. The max. for DES crypt based passwords are 8
+- characters.
++ characters. The default value is 6. The maximum for DES
++ crypt-based passwords is 8 characters.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>obscure</option>
++ </term>
++ <listitem>
++ <para>
++ Enable some extra checks on password strength. These checks
++ are based on the "obscure" checks in the original shadow
++ package. The behavior is similar to the pam_cracklib
++ module, but for non-dictionary-based checks. The following
++ checks are implemented:
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>Palindrome</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password is not a palindrome
++ of (i.e., the reverse of) the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Case Change Only</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't the same as the
++ old one with a change of case.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Similar</option>
++ </term>
++ <listitem>
++ <para>
++ Verifies that the new password isn't too much like
++ the previous one.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Simple</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password too simple? This is based on
++ the length of the password and the number of
++ different types of characters (alpha, numeric, etc.)
++ used.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>Rotated</option>
++ </term>
++ <listitem>
++ <para>
++ Is the new password a rotated version of the old
++ password? (E.g., "billy" and "illyb")
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
+index c341741..652f3c5 100644
+--- a/modules/pam_unix/pam_unix_passwd.c
++++ b/modules/pam_unix/pam_unix_passwd.c
+@@ -86,6 +86,9 @@ extern int getrpcport(const char *host, unsigned long prognum,
+ # endif /* GNU libc 2.1 */
+ #endif
-- Set a minimum password length of n characters. The max. for DES crypt based
-- passwords are 8 characters.
-+ Set a minimum password length of n characters. The default value is 6. The
-+ maximum for DES crypt-based passwords is 8 characters.
-+
-+obscure
-+
-+ Enable some extra checks on password strength. These checks are based on
-+ the "obscure" checks in the original shadow package. The behavior is
-+ similar to the pam_cracklib module, but for non-dictionary-based checks.
-+ The following checks are implemented:
-+
-+ Palindrome
-+
-+ Verifies that the new password is not a palindrome of (i.e., the
-+ reverse of) the previous one.
-+
-+ Case Change Only
-+
-+ Verifies that the new password isn't the same as the old one with a
-+ change of case.
-+
-+ Similar
-+
-+ Verifies that the new password isn't too much like the previous one.
-+
-+ Simple
-+
-+ Is the new password too simple? This is based on the length of the
-+ password and the number of different types of characters (alpha,
-+ numeric, etc.) used.
-+
-+ Rotated
++extern const char *obscure_msg(const char *, const char *, const struct passwd *,
++ unsigned int);
+
-+ Is the new password a rotated version of the old password? (E.g.,
-+ "billy" and "illyb")
+ /*
+ How it works:
+ Gets in username (has to be done) from the calling program
+@@ -584,6 +587,11 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
+ return retval;
+ }
+ }
++ if (!remark && pass_old != NULL) { /* only check if we don't already have a failure */
++ struct passwd *pwd;
++ pwd = pam_modutil_getpwnam(pamh, user);
++ remark = (char *)obscure_msg(pass_old,pass_new,pwd,ctrl); /* do obscure checks */
++ }
+ }
+ if (remark) {
+ _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
+@@ -599,7 +607,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ int retval;
+ int remember = -1;
+ int rounds = 0;
+- int pass_min_len = 0;
++ int pass_min_len = 6;
- no_pass_expiry
+ /* <DO NOT free() THESE> */
+ const char *user;
+diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
+index 8105400..91e7478 100644
+--- a/modules/pam_unix/support.h
++++ b/modules/pam_unix/support.h
+@@ -101,50 +101,52 @@ typedef struct {
+ #define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */
+ #define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
+ #define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */
++#define UNIX_OBSCURE_CHECKS 34 /* enable obscure checks on passwords */
+ /* -------------- */
+-#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 35 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
+
+ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
+ {
+-/* symbol token name ctrl mask ctrl *
+- * --------------------------- -------------------- ------------------------- ---------------- */
+-
+-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
+-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
+-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
+-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
+-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0},
+-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0},
+-/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
+-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0},
+-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0},
+-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
+-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
+-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
+-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
+-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1},
+-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0},
+-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
+-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
+-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
+-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1},
+-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
+-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
+-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
+-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
+-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1},
+-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1},
+-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
+-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1},
+-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+-/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
+-/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
+-/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1},
+-/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1},
+-/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1},
+-/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 020000000000, 0},
++/* symbol token name ctrl mask ctrl *
++ * --------------------------- -------------------- ------------------------- ------------ */
++
++/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 0x1, 0},
++/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 0x2, 0},
++/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 0x4, 0},
++/* UNIX_AUDIT */ {"audit", _ALL_ON_, 0x8, 0},
++/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(0x30ULL), 0x10, 0},
++/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(0x30ULL), 0x20, 0},
++/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0x40, 0},
++/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180ULL), 0x80, 0},
++/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180ULL), 0x100, 0},
++/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200, 0},
++/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400, 0},
++/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800, 0},
++/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000, 0},
++/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0x6EC22000ULL), 0x2000, 1},
++/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(0x200ULL), 0, 0},
++/* UNIX_DEBUG */ {"debug", _ALL_ON_, 0x4000, 0},
++/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0x8000, 0},
++/* UNIX_NIS */ {"nis", _ALL_ON_, 0x10000, 0},
++/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000, 1},
++/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 0x40000, 0},
++/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 0x80000, 0},
++/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 0x100000, 0},
++/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 0x200000, 0},
++/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0x6EC22000ULL), 0x400000, 1},
++/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0x6EC22000ULL), 0x800000, 1},
++/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0x1000000, 0},
++/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0x6EC22000ULL), 0x2000000, 1},
++/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0x4000000, 0},
++/* UNIX_QUIET */ {"quiet", _ALL_ON_, 0x8000000, 0},
++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 0x10000000, 0},
++/* UNIX_DES */ {"des", _ALL_ON_^(0x6EC22000ULL), 0, 1},
++/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x20000000, 1},
++/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(0x6EC22000ULL), 0x40000000, 1},
++/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 0x80000000, 0},
++/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x100000000, 0},
+ };
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 19:42:06 +0000