pam/pam-0.99.7.1-unix-hpux-aging.patch

o For non-extensible-style hashes, strip off anything after the 13th character
  which would not be valid as part of a hash.  On HP/UX, this clips off a comma
  followed by encoded aging information.

  The real problem is a complete lack of any standard for storing password
  aging information (actually, for anything having to do with password aging)
  for users across operating systems, but there's nothing we can do about that
  here.

--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.unix-hpux-aging	2007-06-01 15:21:08.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c	2007-06-01 15:24:32.000000000 +0200
@@ -573,6 +573,21 @@
     return retval;
 }
 
+static void strip_hpux_aging(char *p)
+{
+	const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+			    "abcdefghijklmnopqrstuvwxyz"
+			    "0123456789./";
+	if ((*p != '$') && (strlen(p) > 13)) {
+		for (p += 13; *p != '\0'; p++) {
+			if (strchr(valid, *p) == NULL) {
+				*p = '\0';
+				break;
+			}
+		}
+	}
+}
+
 int _unix_verify_password(pam_handle_t * pamh, const char *name
 			  ,const char *p, unsigned int ctrl)
 {
@@ -679,7 +694,9 @@
 			}
 		}
 	} else {
-	    size_t salt_len = strlen(salt);
+	    size_t salt_len;
+	    strip_hpux_aging(salt);
+	    salt_len = strlen(salt);
 	    if (!salt_len) {
 		/* the stored password is NULL */
 		if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
--- Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c.unix-hpux-aging	2007-06-01 15:21:08.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c	2007-06-01 15:26:26.000000000 +0200
@@ -146,6 +146,22 @@
 	return i;
 }
 
+static void
+strip_hpux_aging(char *p)
+{
+	const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+			    "abcdefghijklmnopqrstuvwxyz"
+			    "0123456789./";
+	if ((*p != '$') && (strlen(p) > 13)) {
+		for (p += 13; *p != '\0'; p++) {
+			if (strchr(valid, *p) == NULL) {
+				*p = '\0';
+				break;
+			}
+		}
+	}
+}
+
 int
 _unix_verify_password(const char *name, const char *p, int nullok)
 {
@@ -194,6 +210,7 @@
 		return PAM_USER_UNKNOWN;
 	}
 
+	strip_hpux_aging(salt);
 	salt_len = strlen(salt);
 	if (salt_len == 0) {
 		return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
- update to Linux-PAM-0.78 - #140451 parse passwd entries correctly and test for failure 2004-11-23 15:32:59 +00:00			`o For non-extensible-style hashes, strip off anything after the 13th character`
			`which would not be valid as part of a hash. On HP/UX, this clips off a comma`
			`followed by encoded aging information.`

			`The real problem is a complete lack of any standard for storing password`
			`aging information (actually, for anything having to do with password aging)`
			`for users across operating systems, but there's nothing we can do about that`
			`here.`
- pam_namespace: better document behavior on failure (#237249) - pam_unix: split out passwd change to a new helper binary (#236316) - pam_namespace: add support for temporary logons (#241226) 2007-06-04 14:22:15 +00:00
			`--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.unix-hpux-aging 2007-06-01 15:21:08.000000000 +0200`
			`+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-06-01 15:24:32.000000000 +0200`
			`@@ -573,6 +573,21 @@`
- update to Linux-PAM-0.78 - #140451 parse passwd entries correctly and test for failure 2004-11-23 15:32:59 +00:00			`return retval;`
			`}`

			`+static void strip_hpux_aging(char *p)`
			`+{`
			`+ const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"`
			`+ "abcdefghijklmnopqrstuvwxyz"`
			`+ "0123456789./";`
			`+ if ((*p != '$') && (strlen(p) > 13)) {`
			`+ for (p += 13; *p != '\0'; p++) {`
			`+ if (strchr(valid, *p) == NULL) {`
			`+ *p = '\0';`
			`+ break;`
			`+ }`
			`+ }`
			`+ }`
			`+}`
			`+`
			`int _unix_verify_password(pam_handle_t * pamh, const char *name`
			`,const char *p, unsigned int ctrl)`
			`{`
- pam_namespace: better document behavior on failure (#237249) - pam_unix: split out passwd change to a new helper binary (#236316) - pam_namespace: add support for temporary logons (#241226) 2007-06-04 14:22:15 +00:00			`@@ -679,7 +694,9 @@`
			`}`
- update to Linux-PAM-0.78 - #140451 parse passwd entries correctly and test for failure 2004-11-23 15:32:59 +00:00			`}`
			`} else {`
- pam_namespace: better document behavior on failure (#237249) - pam_unix: split out passwd change to a new helper binary (#236316) - pam_namespace: add support for temporary logons (#241226) 2007-06-04 14:22:15 +00:00			`- size_t salt_len = strlen(salt);`
			`+ size_t salt_len;`
- update to Linux-PAM-0.78 - #140451 parse passwd entries correctly and test for failure 2004-11-23 15:32:59 +00:00			`+ strip_hpux_aging(salt);`
			`+ salt_len = strlen(salt);`
			`if (!salt_len) {`
			`/* the stored password is NULL */`
			`if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */`
- pam_namespace: better document behavior on failure (#237249) - pam_unix: split out passwd change to a new helper binary (#236316) - pam_namespace: add support for temporary logons (#241226) 2007-06-04 14:22:15 +00:00			`--- Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c.unix-hpux-aging 2007-06-01 15:21:08.000000000 +0200`
			`+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c 2007-06-01 15:26:26.000000000 +0200`
			`@@ -146,6 +146,22 @@`
			`return i;`
- update to Linux-PAM-0.78 - #140451 parse passwd entries correctly and test for failure 2004-11-23 15:32:59 +00:00			`}`

- pam_namespace: better document behavior on failure (#237249) - pam_unix: split out passwd change to a new helper binary (#236316) - pam_namespace: add support for temporary logons (#241226) 2007-06-04 14:22:15 +00:00			`+static void`
			`+strip_hpux_aging(char *p)`
- update to Linux-PAM-0.78 - #140451 parse passwd entries correctly and test for failure 2004-11-23 15:32:59 +00:00			`+{`
			`+ const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"`
			`+ "abcdefghijklmnopqrstuvwxyz"`
			`+ "0123456789./";`
			`+ if ((*p != '$') && (strlen(p) > 13)) {`
			`+ for (p += 13; *p != '\0'; p++) {`
			`+ if (strchr(valid, *p) == NULL) {`
			`+ *p = '\0';`
			`+ break;`
			`+ }`
			`+ }`
			`+ }`
			`+}`
			`+`
- pam_namespace: better document behavior on failure (#237249) - pam_unix: split out passwd change to a new helper binary (#236316) - pam_namespace: add support for temporary logons (#241226) 2007-06-04 14:22:15 +00:00			`int`
			`_unix_verify_password(const char name, const char p, int nullok)`
- update to Linux-PAM-0.78 - #140451 parse passwd entries correctly and test for failure 2004-11-23 15:32:59 +00:00			`{`
- pam_namespace: better document behavior on failure (#237249) - pam_unix: split out passwd change to a new helper binary (#236316) - pam_namespace: add support for temporary logons (#241226) 2007-06-04 14:22:15 +00:00			`@@ -194,6 +210,7 @@`
			`return PAM_USER_UNKNOWN;`
- update to Linux-PAM-0.78 - #140451 parse passwd entries correctly and test for failure 2004-11-23 15:32:59 +00:00			`}`

			`+ strip_hpux_aging(salt);`
			`salt_len = strlen(salt);`
- pam_namespace: better document behavior on failure (#237249) - pam_unix: split out passwd change to a new helper binary (#236316) - pam_namespace: add support for temporary logons (#241226) 2007-06-04 14:22:15 +00:00			`if (salt_len == 0) {`
			`return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;`