diff options
Diffstat (limited to 'testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch')
-rw-r--r-- | testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch | 73 |
1 files changed, 0 insertions, 73 deletions
diff --git a/testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch b/testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch deleted file mode 100644 index 5cbc35b0..00000000 --- a/testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org> -Date: Mon, 26 Nov 2018 22:33:17 +0100 -Subject: [PATCH] pam_unix: Report unusable hashes found by checksalt to - syslog. - -libxcrypt can be build-time configured to support (or not support) -various hashing methods. Future versions will also have support for -runtime configuration by the system's vendor and/or administrator. - -For that reason adminstrator should be notified by pam if users cannot -log into their account anymore because of such a change in the system's -configuration of libxcrypt. - -Also check for malformed hashes, like descrypt hashes starting with -"$2...", which might have been generated by unsafe base64 encoding -functions as used in glibc <= 2.16. -Such hashes are likely to be rejected by many recent implementations -of libcrypt. - -* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable -hashes found by checksalt to syslog. ---- - modules/pam_unix/passverify.c | 36 +++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index eb2444bb..2c808eb5 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) - * Ok, we don't know the crypt algorithm, but maybe - * libcrypt knows about it? We should try it. - */ -+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE -+ /* Get the status of the hash from checksalt */ -+ int retval_checksalt = crypt_checksalt(hash); -+ -+ /* -+ * Check for hashing methods that are disabled by -+ * libcrypt configuration and/or system preset. -+ */ -+ if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) { -+ /* -+ * pam_syslog() needs a pam handle, -+ * but that's not available here. -+ */ -+ helper_log_err(LOG_ERR, -+ "pam_unix(verify_pwd_hash): The method " -+ "for computing the hash \"%.6s\" has been " -+ "disabled in libcrypt by the preset from " -+ "the system's vendor and/or administrator.", -+ hash); -+ } -+ /* -+ * Check for malformed hashes, like descrypt hashes -+ * starting with "$2...", which might have been -+ * generated by unsafe base64 encoding functions -+ * as used in glibc <= 2.16. -+ * Such hashes are likely to be rejected by many -+ * recent implementations of libcrypt. -+ */ -+ if (retval_checksalt == CRYPT_SALT_INVALID) { -+ helper_log_err(LOG_ERR, -+ "pam_unix(verify_pwd_hash): The hash \"%.6s\"" -+ "does not use a method known by the version " -+ "of libcrypt this system is supplied with.", -+ hash); -+ } -+#endif - #ifdef HAVE_CRYPT_R - struct crypt_data *cdata; - cdata = malloc(sizeof(*cdata)); |