diff options
Diffstat (limited to 'source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch')
-rw-r--r-- | source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch new file mode 100644 index 000000000..5cbc35b03 --- /dev/null +++ b/source/a/pam/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch @@ -0,0 +1,73 @@ +From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org> +Date: Mon, 26 Nov 2018 22:33:17 +0100 +Subject: [PATCH] pam_unix: Report unusable hashes found by checksalt to + syslog. + +libxcrypt can be build-time configured to support (or not support) +various hashing methods. Future versions will also have support for +runtime configuration by the system's vendor and/or administrator. + +For that reason adminstrator should be notified by pam if users cannot +log into their account anymore because of such a change in the system's +configuration of libxcrypt. + +Also check for malformed hashes, like descrypt hashes starting with +"$2...", which might have been generated by unsafe base64 encoding +functions as used in glibc <= 2.16. +Such hashes are likely to be rejected by many recent implementations +of libcrypt. + +* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable +hashes found by checksalt to syslog. +--- + modules/pam_unix/passverify.c | 36 +++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index eb2444bb..2c808eb5 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) + * Ok, we don't know the crypt algorithm, but maybe + * libcrypt knows about it? We should try it. + */ ++#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE ++ /* Get the status of the hash from checksalt */ ++ int retval_checksalt = crypt_checksalt(hash); ++ ++ /* ++ * Check for hashing methods that are disabled by ++ * libcrypt configuration and/or system preset. ++ */ ++ if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) { ++ /* ++ * pam_syslog() needs a pam handle, ++ * but that's not available here. ++ */ ++ helper_log_err(LOG_ERR, ++ "pam_unix(verify_pwd_hash): The method " ++ "for computing the hash \"%.6s\" has been " ++ "disabled in libcrypt by the preset from " ++ "the system's vendor and/or administrator.", ++ hash); ++ } ++ /* ++ * Check for malformed hashes, like descrypt hashes ++ * starting with "$2...", which might have been ++ * generated by unsafe base64 encoding functions ++ * as used in glibc <= 2.16. ++ * Such hashes are likely to be rejected by many ++ * recent implementations of libcrypt. ++ */ ++ if (retval_checksalt == CRYPT_SALT_INVALID) { ++ helper_log_err(LOG_ERR, ++ "pam_unix(verify_pwd_hash): The hash \"%.6s\"" ++ "does not use a method known by the version " ++ "of libcrypt this system is supplied with.", ++ hash); ++ } ++#endif + #ifdef HAVE_CRYPT_R + struct crypt_data *cdata; + cdata = malloc(sizeof(*cdata)); |