Add cli frontend for pw, add. error handling
parent
d492fc3986
commit
450d514a0c
@ -1,15 +1,17 @@
|
|||||||
minlen = 8
|
difok = 99
|
||||||
|
minlen = 7
|
||||||
dcredit = 0
|
dcredit = 0
|
||||||
ucredir = 0
|
ucredit = 0
|
||||||
lcredit = 0
|
lcredit = 0
|
||||||
ocredit = 0
|
ocredit = 0
|
||||||
minclass = 0
|
minclass = 0
|
||||||
maxrepeat = 0
|
maxrepeat = 0
|
||||||
maxsequence = 0
|
maxsequence = 0
|
||||||
maxclassrepeat = 0
|
maxclassrepeat = 0
|
||||||
gecoscheck = 0
|
gecoscheck = FALSE
|
||||||
dictcheck = 1
|
dictcheck = 1
|
||||||
usercheck = 1
|
usercheck = 0
|
||||||
usersubstr = 0
|
usersubstr = 0
|
||||||
enforcing = 1
|
enforcing = 1
|
||||||
retry = 1
|
retry = 1
|
||||||
|
enforce_for_root
|
||||||
|
@ -0,0 +1,75 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
source "${DESTDIR}/usr/share/linux-infosec-setupper/common.sh"
|
||||||
|
|
||||||
|
# Check whether we are running the script for the first time
|
||||||
|
# Since the config may be standard from the package, it may not be parsed correctly.
|
||||||
|
# We write our default config instead of the original one, so that the parsing works correctly
|
||||||
|
if ! [[ -f "${VAR_DIR_PWQUALITY}/pw_changed" ]]; then
|
||||||
|
cat "${SHARE_DIR_PWQUALITY}/pw_default" > "${DESTDIR}/etc/security/pwquality.conf" || { error $"Unable to write to file %s" "${DESTDIR}/etc/security/pwquality.conf"; exit 1; }
|
||||||
|
install -D -m 444 /dev/null "${VAR_DIR_PWQUALITY}/pw_changed" || { error $"Unable to write to file %s" "${VAR_DIR_PWQUALITY}/pw_changed"; exit 1; }
|
||||||
|
fi
|
||||||
|
|
||||||
|
source "${SHARE_DIR_PWQUALITY}/parse_pwquality.sh"
|
||||||
|
source "${SHARE_DIR_PWQUALITY}/back_pwquality.sh"
|
||||||
|
|
||||||
|
while read -r line; do declare "$line" || { error $"Unable to parse /etc/security/pwquality.conf correctly; execute \n%s" "rm ${VAR_DIR_PWQUALITY}/pw_changed"; exit 1; }; done < <(_pw_parse_conf)
|
||||||
|
|
||||||
|
PWQUALITY_FRONT=1
|
||||||
|
failed=0
|
||||||
|
_args="$(echo "$@" | sed 's/\(d \|-d \)/--difok /
|
||||||
|
;s/\(m \|-m \)/--minlen /
|
||||||
|
;s/\(dc \|-dc \)/--dcredit /
|
||||||
|
;s/\(uc \|-uc \)/--ucredit /
|
||||||
|
;s/\(lc \|-lc \)/--lcredit /
|
||||||
|
;s/\(oc \|-oc \)/--ocredit /
|
||||||
|
;s/\(geco \|-geco \)/--gecoscheck /
|
||||||
|
;s/\(e \|-e \)/--enforcing /
|
||||||
|
;s/\(r \|-r \)/--retry /')"
|
||||||
|
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
error $"No arguments specified"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$1" in -h|--help|h|help)
|
||||||
|
echo $"Usage: #NAME# --[OPTIONS...]"
|
||||||
|
echo $"#NAME# allows you to manage the file configuration for pwquality in the cli option. A GUI version is also available: #NAME2#"
|
||||||
|
echo ''
|
||||||
|
echo $" Options:"
|
||||||
|
echo $" d, difok Number of characters in the new password that must not be present in the old password"
|
||||||
|
echo $" m, minlen Minimum acceptable size for the new password"
|
||||||
|
echo $" dc, dcredit The maximum credit for having digits in the new password"
|
||||||
|
echo $" uc, ucredit The maximum credit for having uppercase characters in the new password"
|
||||||
|
echo $" lc, lcredit The maximum credit for having lowercase characters in the new password"
|
||||||
|
echo $" oc, ocredit The maximum credit for having other characters in the new password"
|
||||||
|
echo $" minclass The minimum number of required classes of characters for the new password"
|
||||||
|
echo $" maxrepeat The maximum number of allowed same consecutive characters in the new password"
|
||||||
|
echo $" maxsequence The maximum length of monotonic character sequences in the new password"
|
||||||
|
echo $" maxclassrepeat The maximum number of allowed consecutive characters of the same class in the new password"
|
||||||
|
echo $" geco, gecoscheck Check whether the words longer than 3 characters from the GECOS field of the user's passwd(5) entry are contained in the new password"
|
||||||
|
echo $" dictcheck Check whether the password (with possible modifications) matches a word in a dictionary"
|
||||||
|
echo $" usercheck Check whether the password (with possible modifications) contains the user name in some form"
|
||||||
|
echo $" usersubstr Check whether the password contains a substring of at least N length in some form"
|
||||||
|
echo $" enforcing Reject the password if it fails the checks, otherwise only print the warning"
|
||||||
|
echo $" retry Prompt user at most N times before returning with error"
|
||||||
|
echo $" enforce_for_root The module will return error on failed check even if the user changing the password is root"
|
||||||
|
echo $" local_users_only The module will not test the password quality for users that are not present in the /etc/passwd file"
|
||||||
|
echo ''
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
_number=1
|
||||||
|
while read -r args; do
|
||||||
|
if [[ $(( _number % 2 )) = 1 ]]; then
|
||||||
|
case "$args" in
|
||||||
|
--*) : ;;
|
||||||
|
-*) args="-$args" ;;
|
||||||
|
*) args="--$args" ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
arg_line+=("$args")
|
||||||
|
((_number++))
|
||||||
|
done < <(echo -e "${_args// /\\n}")
|
||||||
|
_mk_pwquality_conf ${arg_line[@]} > "${DESTDIR}/etc/security/pwquality.conf" || { error $"Unable to write to file %s" "${DESTDIR}/etc/security/pwquality.conf"; exit 1; }
|
Loading…
Reference in New Issue