rpms/authselect
6
0
Fork 0
Code Issues Pull Requests Releases Activity
2febf363e9
authselect/authselect-1.2.3-yescrypt_support.patch
Björn Esser 2febf363e9
Backport support for yescrypt hash method 
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
2021-06-21 13:50:01 +02:00

147 lines
9.0 KiB
Diff
Raw Blame History

Index: authselect-1.2.3/profiles/minimal/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/minimal/password-auth
+++ authselect-1.2.3/profiles/minimal/password-auth
@@ -10,7 +10,7 @@ account required
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/minimal/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/minimal/system-auth
+++ authselect-1.2.3/profiles/minimal/system-auth
@@ -10,7 +10,7 @@ account required
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/nis/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/nis/password-auth
+++ authselect-1.2.3/profiles/nis/password-auth
@@ -12,7 +12,7 @@ account required
account required pam_unix.so broken_shadow
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/nis/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/nis/system-auth
+++ authselect-1.2.3/profiles/nis/system-auth
@@ -13,7 +13,7 @@ account required
account required pam_unix.so broken_shadow
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/sssd/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/sssd/password-auth
+++ authselect-1.2.3/profiles/sssd/password-auth
@@ -21,7 +21,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
Index: authselect-1.2.3/profiles/sssd/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/sssd/system-auth
+++ authselect-1.2.3/profiles/sssd/system-auth
@@ -26,7 +26,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
Index: authselect-1.2.3/profiles/winbind/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/winbind/password-auth
+++ authselect-1.2.3/profiles/winbind/password-auth
@@ -18,7 +18,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
Index: authselect-1.2.3/profiles/winbind/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/winbind/system-auth
+++ authselect-1.2.3/profiles/winbind/system-auth
@@ -19,7 +19,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
Index: authselect-1.2.3/src/compat/authcompat_Options.py
===================================================================
--- authselect-1.2.3.orig/src/compat/authcompat_Options.py
+++ authselect-1.2.3/src/compat/authcompat_Options.py
@@ -145,7 +145,7 @@ class Options:
Option.UnsupportedSwitch ("useshadow"),
Option.UnsupportedFeature("md5"),
Option.UnsupportedSwitch ("usemd5"),
- Option.UnsupportedValued ("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512>")),
+ Option.UnsupportedValued ("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>")),
Option.UnsupportedValued ("ldaploadcacert", _("<URL>")),
Option.UnsupportedValued ("smartcardmodule", _("<module>")),
Option.UnsupportedValued ("smbsecurity", _("<user|server|domain|ads>")),
Index: authselect-1.2.3/src/man/authselect-migration.7.adoc
===================================================================
--- authselect-1.2.3.orig/src/man/authselect-migration.7.adoc
+++ authselect-1.2.3/src/man/authselect-migration.7.adoc
@@ -1,6 +1,6 @@
authselect-migration(7)
=======================
-:revdate: 2018-03-18
+:revdate: 2021-06-04
NAME
----
@@ -85,8 +85,16 @@ configuration file for required services
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
|--enablewinbindkrb5 |with-krb5
+|--enableshadow |_none_
+|--passalgo |_none_
|==================================================
+NOTE: Authconfig options `--enableshadow` and `--passalgo=sha512` were often
+used to make sure that passwords are stored in `/etc/shadow` using `sha512`
+algorithm. *The authselect profiles now use the yescrypt hashing method* and
+it cannot be changed through an option (only by creating a custom profile).
+You can just omit these options.
+
.Examples
----
authconfig --enableldap --enableldapauth --enablefaillock --updateall
Reference in New Issue View Git Blame Copy Permalink