[linux-pam] Non-fast-forward update to branch master
by Dmitry V. Levin
The branch 'master' was changed in a way that was not a fast-forward update.
NOTE: This may cause problems for people pulling from the branch. For more information,
please see:
http://live.gnome.org/Git/Help/NonFastForward
Commits removed from the branch:
947b31e... pam_tty_audit: add an option to control logging of password
Commits added to the branch:
3336865... pam_tty_audit: add an option to control logging of password (*)
(*) This commit already existed in another branch; no separate mail sent
10 years, 10 months
[linux-pam/ldv/master] pam_tty_audit: add an option to control logging of passwords: log_passwd
by Dmitry V. Levin
commit 333686501468f66160c8eb50ae23f1dc08b82e12
Author: Richard Guy Briggs <rgb(a)redhat.com>
Date: Fri Jun 21 08:29:00 2013 -0400
pam_tty_audit: add an option to control logging of passwords: log_passwd
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode with echo set to off to do this. This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command. Adding a member to the struct audit_tty_status passed in
by pam_tty_audit allows control of logging passwords per task.
* configure.in: autoconf bits to conditionally add support at compile time
depending on struct audit_tty_status kernel header version.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
log_passwd option.
* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
"log_passwd" option parsing.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
configure.in | 6 ++++++
modules/pam_tty_audit/pam_tty_audit.8.xml | 15 +++++++++++++++
modules/pam_tty_audit/pam_tty_audit.c | 23 ++++++++++++++++++++++-
3 files changed, 43 insertions(+), 1 deletions(-)
---
diff --git a/configure.in b/configure.in
index 515b301..b92d9ac 100644
--- a/configure.in
+++ b/configure.in
@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then
fi
if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
+ [[#include <libaudit.h>]])
fi
else
LIBAUDIT=""
@@ -393,6 +397,8 @@ fi
AC_SUBST(LIBAUDIT)
AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
[test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
+AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD],
+ [test "x$ac_cv_member_audit_tty_status_log_passwd" = xyes])
AC_CHECK_HEADERS(xcrypt.h crypt.h)
AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index 447b845..552353c 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -77,6 +77,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>log_passwd</option>
+ </term>
+ <listitem>
+ <para>
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
+ This is the mode in which the tty is placed during password entry.
+ By default, passwords are not logged. This option may not be
+ available on older kernels (3.9?).
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -161,6 +174,8 @@ session required pam_tty_audit.so disable=* enable=root
<para>
pam_tty_audit was written by Miloslav Trmač
<mitr(a)redhat.com>.
+ The log_passwd option was added by Richard Guy Briggs
+ <rgb(a)redhat.com>.
</para>
</refsect1>
diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
index 080f495..a3b590d 100644
--- a/modules/pam_tty_audit/pam_tty_audit.c
+++ b/modules/pam_tty_audit/pam_tty_audit.c
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
struct audit_tty_status *old_status, new_status;
const char *user;
int i, fd, open_only;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ int log_passwd;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
(void)flags;
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
command = CMD_NONE;
open_only = 0;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 0;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
for (i = 0; i < argc; i++)
{
if (strncmp (argv[i], "enable=", 7) == 0
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
}
else if (strcmp (argv[i], "open_only") == 0)
open_only = 1;
+ else if (strcmp (argv[i], "log_passwd") == 0)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 1;
+#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+ pam_syslog (pamh, LOG_WARNING,
+ "The log_passwd option was not available at compile time.");
+#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel."
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
else
{
pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
}
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
- if (old_status->enabled == new_status.enabled)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ new_status.log_passwd = log_passwd;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+ if (old_status->enabled == new_status.enabled
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ && old_status->log_passwd == new_status.log_passwd
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+ )
{
open_only = 1; /* to clean up old_status */
goto ok_fd;
10 years, 10 months
[linux-pam] Created branch ldv/master
by Dmitry V. Levin
The branch 'ldv/master' was created.
Summary of new commits:
3336865... pam_tty_audit: add an option to control logging of password
10 years, 10 months
[linux-pam] pam_tty_audit: add an option to control logging of passwords: log_passwd
by Tomáš Mráz
commit 947b31e9494c198cffc6b4917ecf8723a5ad4486
Author: Richard Guy Briggs <rgb(a)redhat.com>
Date: Fri Jun 21 08:29:00 2013 -0400
pam_tty_audit: add an option to control logging of passwords: log_passwd
On Fri, Jun 21, 2013 at 04:38:16AM +0400, Dmitry V. Levin wrote:
> On Tue, Jun 11, 2013 at 11:30:43AM -0400, Richard Guy Briggs wrote:
> > On Mon, Jun 10, 2013 at 04:59:37PM -0400, Richard Guy Briggs wrote:
> > > On Wed, Jun 05, 2013 at 02:54:09AM +0400, Dmitry V. Levin wrote:
> > > > On Thu, May 23, 2013 at 10:29:59AM -0400, Richard Guy Briggs wrote:
> > > > > Most commands are entered one line at a time and processed as complete lines
> > > > > in non-canonical mode. Commands that interactively require a password, enter
> > > > > canonical mode with echo set to off to do this. This feature (icanon and
> > > > > !echo) can be used to avoid logging passwords by audit while still logging the
> > > > > rest of the command.
> > > > >
> > > > > Adding a member to the struct audit_tty_status passed in by pam_tty_audit
> > > > > allows control of logging passwords per task.
> > > >
> > > > Sorry for the long delay with review. Please see my comments below.
> > >
> > > Ditto...
> >
> > Please find a new patch at the end...
>
> The patch looks OK. If commit message contained a ChangeLog-style entry
> for the change (see README-hacking file), it would be ready for commit.
Here you go:
From: Richard Guy Briggs <rgb(a)redhat.com>
Date: Thu, 21 Mar 2013 00:56:51 -0400
Subject: [PATCH] pam_tty_audit: add an option to control logging of passwords: log_passwd
pam_tty_audit: add an option to control logging of passwords: log_passwd
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode with echo set to off to do this. This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command. Adding a member to the struct audit_tty_status passed in
by pam_tty_audit allows control of logging passwords per task.
* configure.in: autoconf bits to conditionally add support at compile time
depending on struct audit_tty_status kernel header version.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
log_passwd option.
* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
"log_passwd" option parsing.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
configure.in | 6 ++++++
modules/pam_tty_audit/pam_tty_audit.8.xml | 15 +++++++++++++++
modules/pam_tty_audit/pam_tty_audit.c | 23 ++++++++++++++++++++++-
3 files changed, 43 insertions(+), 1 deletions(-)
---
diff --git a/configure.in b/configure.in
index 515b301..b92d9ac 100644
--- a/configure.in
+++ b/configure.in
@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then
fi
if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
+ [[#include <libaudit.h>]])
fi
else
LIBAUDIT=""
@@ -393,6 +397,8 @@ fi
AC_SUBST(LIBAUDIT)
AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
[test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
+AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD],
+ [test "x$ac_cv_member_audit_tty_status_log_passwd" = xyes])
AC_CHECK_HEADERS(xcrypt.h crypt.h)
AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index 447b845..552353c 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -77,6 +77,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>log_passwd</option>
+ </term>
+ <listitem>
+ <para>
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
+ This is the mode in which the tty is placed during password entry.
+ By default, passwords are not logged. This option may not be
+ available on older kernels (3.9?).
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -161,6 +174,8 @@ session required pam_tty_audit.so disable=* enable=root
<para>
pam_tty_audit was written by Miloslav Trmač
<mitr(a)redhat.com>.
+ The log_passwd option was added by Richard Guy Briggs
+ <rgb(a)redhat.com>.
</para>
</refsect1>
diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
index 080f495..a3b590d 100644
--- a/modules/pam_tty_audit/pam_tty_audit.c
+++ b/modules/pam_tty_audit/pam_tty_audit.c
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
struct audit_tty_status *old_status, new_status;
const char *user;
int i, fd, open_only;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ int log_passwd;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
(void)flags;
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
command = CMD_NONE;
open_only = 0;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 0;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
for (i = 0; i < argc; i++)
{
if (strncmp (argv[i], "enable=", 7) == 0
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
}
else if (strcmp (argv[i], "open_only") == 0)
open_only = 1;
+ else if (strcmp (argv[i], "log_passwd") == 0)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 1;
+#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+ pam_syslog (pamh, LOG_WARNING,
+ "The log_passwd option was not available at compile time.");
+#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel."
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
else
{
pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
}
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
- if (old_status->enabled == new_status.enabled)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ new_status.log_passwd = log_passwd;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+ if (old_status->enabled == new_status.enabled
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ && old_status->log_passwd == new_status.log_passwd
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+ )
{
open_only = 1; /* to clean up old_status */
goto ok_fd;
10 years, 10 months
[linux-pam] Man page fix - unix_update runs in the permissive mode as well.
by Tomáš Mráz
commit 43a69398c33f8580c5925953fa7ee561666d8e33
Author: Tomas Mraz <tmraz(a)fedoraproject.org>
Date: Thu Jun 20 10:11:43 2013 +0200
Man page fix - unix_update runs in the permissive mode as well.
modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
permissive mode as well.
modules/pam_unix/unix_update.8.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/modules/pam_unix/unix_update.8.xml b/modules/pam_unix/unix_update.8.xml
index 0769595..6c7467b 100644
--- a/modules/pam_unix/unix_update.8.xml
+++ b/modules/pam_unix/unix_update.8.xml
@@ -38,7 +38,7 @@
<para>
The purpose of the helper is to enable tighter confinement of
login and password changing services. The helper is thus called only
- when SELinux is enabled and in the enforcing mode on the system.
+ when SELinux is enabled on the system.
</para>
<para>
10 years, 10 months
[linux-pam] Use hash from /etc/login.defs as default if no other one is specified as argument.
by kukuk
commit a36df58aa78531a4629f90f732be475e9296a842
Author: Thorsten Kukuk <kukuk(a)orinoco.thkukuk.de>
Date: Tue Jun 18 16:27:15 2013 +0200
Use hash from /etc/login.defs as default if no
other one is specified as argument.
* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
* modules/pam_unix/support.h: Add define for /etc/login.defs
* modules/pam_unix/pam_unix.8.xml: Document new behavior.
* modules/pam_umask/pam_umask.c: Add missing NULL pointer check
modules/pam_umask/pam_umask.c | 6 ++-
modules/pam_unix/pam_unix.8.xml | 7 ++-
modules/pam_unix/support.c | 106 ++++++++++++++++++++++++++++++++++++++-
modules/pam_unix/support.h | 63 +++++++++++++----------
4 files changed, 151 insertions(+), 31 deletions(-)
---
diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c
index 6d2ec1a..863f038 100644
--- a/modules/pam_umask/pam_umask.c
+++ b/modules/pam_umask/pam_umask.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2006, 2007, 2010 Thorsten Kukuk <kukuk(a)thkukuk.de>
+ * Copyright (c) 2005, 2006, 2007, 2010, 2013 Thorsten Kukuk <kukuk(a)thkukuk.de>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -112,6 +112,10 @@ search_key (const char *filename)
{
buflen = BUF_SIZE;
buf = malloc (buflen);
+ if (buf == NULL) {
+ fclose (fp);
+ return NULL;
+ }
}
buf[0] = '\0';
if (fgets (buf, buflen - 1, fp) == NULL)
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index 0a42d7a..9ce084e 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -81,7 +81,9 @@
<para>
The password component of this module performs the task of updating
- the user's password.
+ the user's password. The default encryption hash is taken from the
+ <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
+ <emphasis>/etc/login.defs</emphasis>
</para>
<para>
@@ -393,6 +395,9 @@ session required pam_unix.so
<title>SEE ALSO</title>
<para>
<citerefentry>
+ <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index ab04535..f36786e 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -37,6 +37,80 @@
#define SELINUX_ENABLED 0
#endif
+static char *
+search_key (const char *key, const char *filename)
+{
+ FILE *fp;
+ char *buf = NULL;
+ size_t buflen = 0;
+ char *retval = NULL;
+
+ fp = fopen (filename, "r");
+ if (NULL == fp)
+ return NULL;
+
+ while (!feof (fp))
+ {
+ char *tmp, *cp;
+#if defined(HAVE_GETLINE)
+ ssize_t n = getline (&buf, &buflen, fp);
+#elif defined (HAVE_GETDELIM)
+ ssize_t n = getdelim (&buf, &buflen, '\n', fp);
+#else
+ ssize_t n;
+
+ if (buf == NULL)
+ {
+ buflen = BUF_SIZE;
+ buf = malloc (buflen);
+ if (buf == NULL) {
+ fclose (fp);
+ return NULL;
+ }
+ }
+ buf[0] = '\0';
+ if (fgets (buf, buflen - 1, fp) == NULL)
+ break;
+ else if (buf != NULL)
+ n = strlen (buf);
+ else
+ n = 0;
+#endif /* HAVE_GETLINE / HAVE_GETDELIM */
+ cp = buf;
+
+ if (n < 1)
+ break;
+
+ tmp = strchr (cp, '#'); /* remove comments */
+ if (tmp)
+ *tmp = '\0';
+ while (isspace ((int)*cp)) /* remove spaces and tabs */
+ ++cp;
+ if (*cp == '\0') /* ignore empty lines */
+ continue;
+
+ if (cp[strlen (cp) - 1] == '\n')
+ cp[strlen (cp) - 1] = '\0';
+
+ tmp = strsep (&cp, " \t=");
+ if (cp != NULL)
+ while (isspace ((int)*cp) || *cp == '=')
+ ++cp;
+
+ if (strcasecmp (tmp, key) == 0)
+ {
+ retval = strdup (cp);
+ break;
+ }
+ }
+ fclose (fp);
+
+ free (buf);
+
+ return retval;
+}
+
+
/* this is a front-end for module-application conversations */
int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
@@ -58,6 +132,8 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
int *pass_min_len, int argc, const char **argv)
{
unsigned int ctrl;
+ char *val;
+ int j;
D(("called."));
@@ -81,10 +157,38 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
D(("SILENT"));
set(UNIX__QUIET, ctrl);
}
+
+ /* preset encryption method with value from /etc/login.defs */
+ val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+ if (val) {
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+ if (unix_args[j].token && unix_args[j].is_hash_algo
+ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
+ break;
+ }
+ }
+ if (j >= UNIX_CTRLS_) {
+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD value [%s]", val);
+ } else {
+ ctrl &= unix_args[j].mask; /* for turning things off */
+ ctrl |= unix_args[j].flag; /* for turning things on */
+ }
+ free (val);
+
+ /* read number of rounds for crypt algo */
+ if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) {
+ val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+
+ if (val) {
+ *rounds = strtol(val, NULL, 10);
+ free (val);
+ }
+ }
+ }
+
/* now parse the arguments to this module */
for (; argc-- > 0; ++argv) {
- int j;
D(("pam_unix arg: %s", *argv));
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index db4cd95..6575938 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -8,6 +8,12 @@
#include <pwd.h>
/*
+ * File to read value of ENCRYPT_METHOD from.
+ */
+#define LOGIN_DEFS "/etc/login.defs"
+
+
+/*
* here is the string to inform the user that the new passwords they
* typed were not the same.
*/
@@ -20,6 +26,7 @@ typedef struct {
const char *token;
unsigned int mask; /* shall assume 32 bits of flags */
unsigned int flag;
+ unsigned int is_hash_algo;
} UNIX_Ctrls;
/*
@@ -100,34 +107,34 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
/* symbol token name ctrl mask ctrl *
* ----------------------- ------------------- --------------------- -------- */
-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01},
-/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02},
-/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04},
-/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010},
-/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020},
-/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040},
-/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100},
-/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200},
-/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400},
-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000},
-/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000},
-/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000},
-/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000},
-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000},
-/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0},
-/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000},
-/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000},
-/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000},
-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000},
-/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000},
-/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000},
-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000},
-/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000},
-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000},
-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000},
-/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000},
-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000},
-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000},
+/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
+/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
+/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
+/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
+/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0},
+/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0},
+/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0},
+/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
+/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
+/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
+/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
+/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
+/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
+/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1},
+/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0},
+/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
+/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
+/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
+/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1},
+/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
+/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
+/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
+/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
+/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1},
+/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1},
+/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
+/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
10 years, 10 months