Backport upstream commit using crypt_checksalt for password aging

This commit is contained in:
Björn Esser 2018-11-23 10:17:17 +01:00
parent a0fce7ff9b
commit 65c004f604
No known key found for this signature in database
GPG Key ID: F52E98007594C21D
2 changed files with 64 additions and 0 deletions

View File

@ -0,0 +1,60 @@
From 62425bf2a0c72d0e23139d0b285547a7add26251 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Thu, 15 Nov 2018 19:49:44 +0100
Subject: [PATCH] pam_unix: Add support for crypt_checksalt, if libcrypt
supports it.
libxcrypt v4.3 has added the crypt_checksalt function to whether
the prefix at the begining of a given hash string refers to a
supported hashing method.
Future revisions of this function will add support to check whether
the hashing method, the prefix refers to, was disabled or considered
deprecated by the system's factory presets or system administrator.
Furthermore it will be able to detect whether the parameters, which
are used by the corresponding hashing method, being encoded in the
hash string are not considered to be strong enough anymore.
*modules/pam_unix/passverify.c: Add support for crypt_checksalt.
---
modules/pam_unix/passverify.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 1f433b3a..6132130a 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -244,7 +244,13 @@ PAMH_ARG_DECL(int check_shadow_expiry,
D(("account expired"));
return PAM_ACCT_EXPIRED;
}
+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+ if (spent->sp_lstchg == 0 ||
+ crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
+ crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
+#else
if (spent->sp_lstchg == 0) {
+#endif
D(("need a new password"));
*daysleft = 0;
return PAM_NEW_AUTHTOK_REQD;
@@ -255,10 +261,19 @@ PAMH_ARG_DECL(int check_shadow_expiry,
spent->sp_namp);
return PAM_SUCCESS;
}
+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+ if (((curdays - spent->sp_lstchg > spent->sp_max)
+ && (curdays - spent->sp_lstchg > spent->sp_inact)
+ && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
+ && (spent->sp_max != -1) && (spent->sp_inact != -1))
+ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
+ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
+#else
if ((curdays - spent->sp_lstchg > spent->sp_max)
&& (curdays - spent->sp_lstchg > spent->sp_inact)
&& (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
&& (spent->sp_max != -1) && (spent->sp_inact != -1)) {
+#endif
*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
D(("authtok expired"));
return PAM_AUTHTOK_EXPIRED;

View File

@ -50,6 +50,8 @@ Patch36: pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch
Patch37: pam-1.3.1-unix-bcrypt_b.patch Patch37: pam-1.3.1-unix-bcrypt_b.patch
# https://github.com/linux-pam/linux-pam/commit/dce80b3f11b3c3aa137d18f22699809094dd64b6 # https://github.com/linux-pam/linux-pam/commit/dce80b3f11b3c3aa137d18f22699809094dd64b6
Patch38: pam-1.3.1-unix-gensalt-autoentropy.patch Patch38: pam-1.3.1-unix-gensalt-autoentropy.patch
# https://github.com/linux-pam/linux-pam/commit/4da9febc39b955892a30686e8396785b96bb8ba5
Patch39: pam-1.3.1-unix-crypt_checksalt.patch
%global _pamlibdir %{_libdir} %global _pamlibdir %{_libdir}
%global _moduledir %{_libdir}/security %global _moduledir %{_libdir}/security
@ -136,6 +138,7 @@ cp %{SOURCE18} .
%patch36 -p1 -b .remove-prototype %patch36 -p1 -b .remove-prototype
%patch37 -p1 -b .bcrypt_b %patch37 -p1 -b .bcrypt_b
%patch38 -p1 -b .gensalt-autoentropy %patch38 -p1 -b .gensalt-autoentropy
%patch39 -p1 -b .crypt_checksalt
autoreconf -i autoreconf -i
@ -382,6 +385,7 @@ done
- Backport upstream commit removing an obsolete prototype - Backport upstream commit removing an obsolete prototype
- Backport upstream commit preferring bcrypt_b ($2b$) for blowfish - Backport upstream commit preferring bcrypt_b ($2b$) for blowfish
- Backport upstream commit preferring gensalt with autoentropy - Backport upstream commit preferring gensalt with autoentropy
- Backport upstream commit using crypt_checksalt for password aging
* Fri Nov 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-8 * Fri Nov 16 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-8
- Use %%ldconfig_scriptlets - Use %%ldconfig_scriptlets