Add a patch to not use crypt_checksalt for password expiration

Resolves: #1965345, #1967150
2021-06-10 21:11:26 +02:00 · 2021-06-10 21:11:26 +02:00 · 3b25774300
commit 3b25774300
parent 1d8ac5d19c
2 changed files with 48 additions and 1 deletions
--- a/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
+++ b/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
@ -0,0 +1,39 @@
 From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001
 From: "Dmitry V. Levin" <ldv@altlinux.org>
 Date: Thu, 10 Jun 2021 14:00:00 +0000
 Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for
 password expiration
 According to Zack Weinberg, the intended meaning of
 CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
 method", it is not supposed to mean "force a password change on next
 login for any user with an existing stored hash using this method".
 This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
 * modules/pam_unix/passverify.c (check_shadow_expiry)
 [CRYPT_CHECKSALT_AVAILABLE]: Remove.
 Closes: https://github.com/linux-pam/linux-pam/issues/367
 ---
 modules/pam_unix/passverify.c | 6 ------
 1 file changed, 6 deletions(-)
 diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
 index f6132f80..5a19ed85 100644
 --- a/modules/pam_unix/passverify.c
 +++ b/modules/pam_unix/passverify.c
@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 		D(("account expired"));
 		return PAM_ACCT_EXPIRED;
 	}
 -#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
 -	if (spent->sp_lstchg == 0 ||
 -	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
 -	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
 -#else
 	if (spent->sp_lstchg == 0) {
 -#endif
 		D(("need a new password"));
 		*daysleft = 0;
 		return PAM_NEW_AUTHTOK_REQD;
--- a/pam.spec
+++ b/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.5.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -27,6 +27,9 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 Patch1:  pam-1.5.0-redhat-modules.patch
 Patch2:  pam-1.5.0-noflex.patch
 Patch3:  pam-1.3.0-unix-nomsg.patch
 # https://github.com/linux-pam/linux-pam/pull/368
 Patch4: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.5.1-no_crypt_checksalt_for_pw_expiration.patch
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@ -110,6 +113,7 @@ cp %{SOURCE18} .
 %patch1 -p1 -b .redhat-modules
 %patch2 -p1 -b .noflex
 %patch3 -p1 -b .nomsg
 %patch4 -p1 -b .no_crypt_checksalt_for_pw_expiration
 autoreconf -i
@ -377,6 +381,10 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \
 exit 0
 %changelog
 * Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.5.1-6
 - Add a patch to not use crypt_checksalt for password expiration
  Resolves: #1965345, #1967150
 * Fri Apr 16 2021 Benjamin Berg <bberg@redhat.com> - 1.5.1-5
 - Add script to avoid fingerprint-auth issues for long term Fedora users
  Resolves: #1942443