Add a patch to not use crypt_checksalt for password expiration
Resolves: #1965345, #1967150
This commit is contained in:
parent
1d8ac5d19c
commit
3b25774300
39
pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
Normal file
39
pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Thu, 10 Jun 2021 14:00:00 +0000
|
||||
Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for
|
||||
password expiration
|
||||
|
||||
According to Zack Weinberg, the intended meaning of
|
||||
CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
|
||||
method", it is not supposed to mean "force a password change on next
|
||||
login for any user with an existing stored hash using this method".
|
||||
|
||||
This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
|
||||
|
||||
* modules/pam_unix/passverify.c (check_shadow_expiry)
|
||||
[CRYPT_CHECKSALT_AVAILABLE]: Remove.
|
||||
|
||||
Closes: https://github.com/linux-pam/linux-pam/issues/367
|
||||
---
|
||||
modules/pam_unix/passverify.c | 6 ------
|
||||
1 file changed, 6 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
||||
index f6132f80..5a19ed85 100644
|
||||
--- a/modules/pam_unix/passverify.c
|
||||
+++ b/modules/pam_unix/passverify.c
|
||||
@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
|
||||
D(("account expired"));
|
||||
return PAM_ACCT_EXPIRED;
|
||||
}
|
||||
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
|
||||
- if (spent->sp_lstchg == 0 ||
|
||||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
|
||||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
|
||||
-#else
|
||||
if (spent->sp_lstchg == 0) {
|
||||
-#endif
|
||||
D(("need a new password"));
|
||||
*daysleft = 0;
|
||||
return PAM_NEW_AUTHTOK_REQD;
|
10
pam.spec
10
pam.spec
@ -3,7 +3,7 @@
|
||||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.5.1
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
@ -27,6 +27,9 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||
Patch1: pam-1.5.0-redhat-modules.patch
|
||||
Patch2: pam-1.5.0-noflex.patch
|
||||
Patch3: pam-1.3.0-unix-nomsg.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/368
|
||||
Patch4: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
|
||||
|
||||
|
||||
%global _pamlibdir %{_libdir}
|
||||
%global _moduledir %{_libdir}/security
|
||||
@ -110,6 +113,7 @@ cp %{SOURCE18} .
|
||||
%patch1 -p1 -b .redhat-modules
|
||||
%patch2 -p1 -b .noflex
|
||||
%patch3 -p1 -b .nomsg
|
||||
%patch4 -p1 -b .no_crypt_checksalt_for_pw_expiration
|
||||
|
||||
autoreconf -i
|
||||
|
||||
@ -377,6 +381,10 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \
|
||||
exit 0
|
||||
|
||||
%changelog
|
||||
* Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.5.1-6
|
||||
- Add a patch to not use crypt_checksalt for password expiration
|
||||
Resolves: #1965345, #1967150
|
||||
|
||||
* Fri Apr 16 2021 Benjamin Berg <bberg@redhat.com> - 1.5.1-5
|
||||
- Add script to avoid fingerprint-auth issues for long term Fedora users
|
||||
Resolves: #1942443
|
||||
|
Loading…
Reference in New Issue
Block a user