summaryrefslogtreecommitdiffstats
path: root/source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch
diff options
context:
space:
mode:
Diffstat (limited to 'source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch')
-rw-r--r--source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch105
1 files changed, 105 insertions, 0 deletions
diff --git a/source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch b/source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch
new file mode 100644
index 00000000..8755cf60
--- /dev/null
+++ b/source/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch
@@ -0,0 +1,105 @@
+Index: Linux-PAM-1.3.1/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- Linux-PAM-1.3.1.orig/modules/pam_unix/pam_unix.8.xml
++++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix.8.xml
+@@ -293,11 +293,10 @@
+ <listitem>
+ <para>
+ When a user changes their password next,
+- encrypt it with the SHA256 algorithm. If the
+- SHA256 algorithm is not known to the <citerefentry>
++ encrypt it with the SHA256 algorithm. The
++ SHA256 algorithm must be supported by the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry> function,
+- fall back to MD5.
++ </citerefentry> function.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -308,11 +307,10 @@
+ <listitem>
+ <para>
+ When a user changes their password next,
+- encrypt it with the SHA512 algorithm. If the
+- SHA512 algorithm is not known to the <citerefentry>
++ encrypt it with the SHA512 algorithm. The
++ SHA512 algorithm must be supported by the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry> function,
+- fall back to MD5.
++ </citerefentry> function.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -323,11 +321,10 @@
+ <listitem>
+ <para>
+ When a user changes their password next,
+- encrypt it with the blowfish algorithm. If the
+- blowfish algorithm is not known to the <citerefentry>
++ encrypt it with the blowfish algorithm. The
++ blowfish algorithm must be supported by the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry> function,
+- fall back to MD5.
++ </citerefentry> function.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -338,11 +335,10 @@
+ <listitem>
+ <para>
+ When a user changes their password next,
+- encrypt it with the gost-yescrypt algorithm. If the
+- gost-yescrypt algorithm is not known to the <citerefentry>
++ encrypt it with the gost-yescrypt algorithm. The
++ gost-yescrypt algorithm must be supported by the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry> function,
+- fall back to MD5.
++ </citerefentry> function.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -353,11 +349,10 @@
+ <listitem>
+ <para>
+ When a user changes their password next,
+- encrypt it with the yescrypt algorithm. If the
+- yescrypt algorithm is not known to the <citerefentry>
++ encrypt it with the yescrypt algorithm. The
++ yescrypt algorithm must be supported by the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry> function,
+- fall back to MD5.
++ </citerefentry> function.
+ </para>
+ </listitem>
+ </varlistentry>
+Index: Linux-PAM-1.3.1/modules/pam_unix/passverify.c
+===================================================================
+--- Linux-PAM-1.3.1.orig/modules/pam_unix/passverify.c
++++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c
+@@ -466,10 +466,9 @@ PAMH_ARG_DECL(char * create_password_has
+ sp = crypt(password, salt);
+ #endif
+ if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
+- /* libxcrypt/libc doesn't know the algorithm, use MD5 */
++ /* libxcrypt/libc doesn't know the algorithm, error out */
+ pam_syslog(pamh, LOG_ERR,
+- "Algo %s not supported by the crypto backend, "
+- "falling back to MD5\n",
++ "Algo %s not supported by the crypto backend.\n",
+ on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" :
+ on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" :
+ on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
+@@ -481,7 +480,7 @@ PAMH_ARG_DECL(char * create_password_has
+ #ifdef HAVE_CRYPT_R
+ free(cdata);
+ #endif
+- return crypt_md5_wrapper(password);
++ return NULL;
+ }
+ sp = x_strdup(sp);
+ #ifdef HAVE_CRYPT_R