pam/pam-1.3.1-unix-checksalt_syslog.patch

From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Mon, 26 Nov 2018 22:33:17 +0100
Subject: [PATCH] pam_unix: Report unusable hashes found by checksalt to
 syslog.

libxcrypt can be build-time configured to support (or not support)
various hashing methods.  Future versions will also have support for
runtime configuration by the system's vendor and/or administrator.

For that reason adminstrator should be notified by pam if users cannot
log into their account anymore because of such a change in the system's
configuration of libxcrypt.

Also check for malformed hashes, like descrypt hashes starting with
"$2...", which might have been generated by unsafe base64 encoding
functions as used in glibc <= 2.16.
Such hashes are likely to be rejected by many recent implementations
of libcrypt.

* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
hashes found by checksalt to syslog.
---
 modules/pam_unix/passverify.c | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index eb2444bb..2c808eb5 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
 			 * Ok, we don't know the crypt algorithm, but maybe
 			 * libcrypt knows about it? We should try it.
 			 */
+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+			/* Get the status of the hash from checksalt */
+			int retval_checksalt = crypt_checksalt(hash);
+
+			/*
+			 * Check for hashing methods that are disabled by
+			 * libcrypt configuration and/or system preset.
+			 */
+			if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) {
+				/*
+				 * pam_syslog() needs a pam handle,
+				 * but that's not available here.
+				 */
+				helper_log_err(LOG_ERR,
+				  "pam_unix(verify_pwd_hash): The method "
+				  "for computing the hash \"%.6s\" has been "
+				  "disabled in libcrypt by the preset from "
+				  "the system's vendor and/or administrator.",
+				  hash);
+			}
+			/*
+			 * Check for malformed hashes, like descrypt hashes
+			 * starting with "$2...", which might have been
+			 * generated by unsafe base64 encoding functions
+			 * as used in glibc <= 2.16.
+			 * Such hashes are likely to be rejected by many
+			 * recent implementations of libcrypt.
+			 */
+			if (retval_checksalt == CRYPT_SALT_INVALID) {
+				helper_log_err(LOG_ERR,
+				  "pam_unix(verify_pwd_hash): The hash \"%.6s\""
+				  "does not use a method known by the version "
+				  "of libcrypt this system is supplied with.",
+				  hash);
+			}
+#endif
 #ifdef HAVE_CRYPT_R
 			struct crypt_data *cdata;
 			cdata = malloc(sizeof(*cdata));
Backport upstream commit reporting disabled or invalid hashes to syslog 2018-12-02 19:09:02 +00:00			`From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>`
			`Date: Mon, 26 Nov 2018 22:33:17 +0100`
			`Subject: [PATCH] pam_unix: Report unusable hashes found by checksalt to`
			`syslog.`

			`libxcrypt can be build-time configured to support (or not support)`
			`various hashing methods. Future versions will also have support for`
			`runtime configuration by the system's vendor and/or administrator.`

			`For that reason adminstrator should be notified by pam if users cannot`
			`log into their account anymore because of such a change in the system's`
			`configuration of libxcrypt.`

			`Also check for malformed hashes, like descrypt hashes starting with`
			`"$2...", which might have been generated by unsafe base64 encoding`
			`functions as used in glibc <= 2.16.`
			`Such hashes are likely to be rejected by many recent implementations`
			`of libcrypt.`

			`* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable`
			`hashes found by checksalt to syslog.`
			`---`
			`modules/pam_unix/passverify.c \| 36 +++++++++++++++++++++++++++++++++++`
			`1 file changed, 36 insertions(+)`

			`diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c`
			`index eb2444bb..2c808eb5 100644`
			`--- a/modules/pam_unix/passverify.c`
			`+++ b/modules/pam_unix/passverify.c`
			`@@ -103,6 +103,42 @@ verify_pwd_hash(const char p, char hash, unsigned int nullok)`
			`* Ok, we don't know the crypt algorithm, but maybe`
			`* libcrypt knows about it? We should try it.`
			`*/`
			`+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE`
			`+ /* Get the status of the hash from checksalt */`
			`+ int retval_checksalt = crypt_checksalt(hash);`
			`+`
			`+ /*`
			`+ * Check for hashing methods that are disabled by`
			`+ * libcrypt configuration and/or system preset.`
			`+ */`
			`+ if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) {`
			`+ /*`
			`+ * pam_syslog() needs a pam handle,`
			`+ * but that's not available here.`
			`+ */`
			`+ helper_log_err(LOG_ERR,`
			`+ "pam_unix(verify_pwd_hash): The method "`
			`+ "for computing the hash \"%.6s\" has been "`
			`+ "disabled in libcrypt by the preset from "`
			`+ "the system's vendor and/or administrator.",`
			`+ hash);`
			`+ }`
			`+ /*`
			`+ * Check for malformed hashes, like descrypt hashes`
			`+ * starting with "$2...", which might have been`
			`+ * generated by unsafe base64 encoding functions`
			`+ * as used in glibc <= 2.16.`
			`+ * Such hashes are likely to be rejected by many`
			`+ * recent implementations of libcrypt.`
			`+ */`
			`+ if (retval_checksalt == CRYPT_SALT_INVALID) {`
			`+ helper_log_err(LOG_ERR,`
			`+ "pam_unix(verify_pwd_hash): The hash \"%.6s\""`
			`+ "does not use a method known by the version "`
			`+ "of libcrypt this system is supplied with.",`
			`+ hash);`
			`+ }`
			`+#endif`
			`#ifdef HAVE_CRYPT_R`
			`struct crypt_data *cdata;`
			`cdata = malloc(sizeof(*cdata));`