rpms/authselect
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport support for yescrypt hash method

Browse Source 
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
This commit is contained in:
Björn Esser 2021-06-21 13:41:27 +02:00
parent 81ffa79713
commit 2febf363e9
No known key found for this signature in database
GPG Key ID: F52E98007594C21D
2 changed files with 153 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
authselect-1.2.3-yescrypt_support.patch Normal file
View File

@ -0,0 +1,146 @@
Index: authselect-1.2.3/profiles/minimal/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/minimal/password-auth
+++ authselect-1.2.3/profiles/minimal/password-auth
@@ -10,7 +10,7 @@ account required
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/minimal/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/minimal/system-auth
+++ authselect-1.2.3/profiles/minimal/system-auth
@@ -10,7 +10,7 @@ account required
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/nis/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/nis/password-auth
+++ authselect-1.2.3/profiles/nis/password-auth
@@ -12,7 +12,7 @@ account required
account required pam_unix.so broken_shadow
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/nis/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/nis/system-auth
+++ authselect-1.2.3/profiles/nis/system-auth
@@ -13,7 +13,7 @@ account required
account required pam_unix.so broken_shadow
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/sssd/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/sssd/password-auth
+++ authselect-1.2.3/profiles/sssd/password-auth
@@ -21,7 +21,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
Index: authselect-1.2.3/profiles/sssd/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/sssd/system-auth
+++ authselect-1.2.3/profiles/sssd/system-auth
@@ -26,7 +26,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
Index: authselect-1.2.3/profiles/winbind/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/winbind/password-auth
+++ authselect-1.2.3/profiles/winbind/password-auth
@@ -18,7 +18,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
Index: authselect-1.2.3/profiles/winbind/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/winbind/system-auth
+++ authselect-1.2.3/profiles/winbind/system-auth
@@ -19,7 +19,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
Index: authselect-1.2.3/src/compat/authcompat_Options.py
===================================================================
--- authselect-1.2.3.orig/src/compat/authcompat_Options.py
+++ authselect-1.2.3/src/compat/authcompat_Options.py
@@ -145,7 +145,7 @@ class Options:
Option.UnsupportedSwitch ("useshadow"),
Option.UnsupportedFeature("md5"),
Option.UnsupportedSwitch ("usemd5"),
- Option.UnsupportedValued ("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512>")),
+ Option.UnsupportedValued ("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>")),
Option.UnsupportedValued ("ldaploadcacert", _("<URL>")),
Option.UnsupportedValued ("smartcardmodule", _("<module>")),
Option.UnsupportedValued ("smbsecurity", _("<user|server|domain|ads>")),
Index: authselect-1.2.3/src/man/authselect-migration.7.adoc
===================================================================
--- authselect-1.2.3.orig/src/man/authselect-migration.7.adoc
+++ authselect-1.2.3/src/man/authselect-migration.7.adoc
@@ -1,6 +1,6 @@
authselect-migration(7)
=======================
-:revdate: 2018-03-18
+:revdate: 2021-06-04
NAME
----
@@ -85,8 +85,16 @@ configuration file for required services
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
|--enablewinbindkrb5 |with-krb5
+|--enableshadow |_none_
+|--passalgo |_none_
|==================================================
+NOTE: Authconfig options `--enableshadow` and `--passalgo=sha512` were often
+used to make sure that passwords are stored in `/etc/shadow` using `sha512`
+algorithm. *The authselect profiles now use the yescrypt hashing method* and
+it cannot be changed through an option (only by creating a custom profile).
+You can just omit these options.
+
.Examples
----
authconfig --enableldap --enableldapauth --enablefaillock --updateall

8
authselect.spec
View File

@ -3,13 +3,16 @@
Name: authselect
Version: 1.2.3
Release: 2%{?dist}
Release: 3%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
# Backported (partially) from https://github.com/authselect/authselect/pull/253.
Patch0: %{name}-1.2.3-yescrypt_support.patch
%global makedir %{_builddir}/%{name}-%{version}
BuildRequires: autoconf
@ -292,6 +295,9 @@ exit 0
exit 0
%changelog
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.3-3
- Backport support for yescrypt hash method
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.2.3-2
- Rebuilt for Python 3.10