rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport upstream commit fixing syslog for disabled or invalid hashes

Browse Source
This commit is contained in:
Björn Esser 2018-12-02 20:11:52 +01:00
parent f3b728d2c9
commit 94c0a4fee4
No known key found for this signature in database
GPG Key ID: F52E98007594C21D
2 changed files with 108 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
pam-1.3.1-unix-fix_checksalt_syslog.patch Normal file
View File

@ -0,0 +1,104 @@
From d8d11db2cef65da5d2afa7acf21aa9c8cd88abed Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 27 Nov 2018 16:11:03 +0100
Subject: [PATCH] pam_unix: Use pam_syslog instead of helper_log_err.
* modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
* modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
* modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
to verify_pwd_hash() call.
---
modules/pam_unix/passverify.c | 24 +++++++++++++-----------
modules/pam_unix/passverify.h | 6 +++---
modules/pam_unix/support.c | 2 +-
3 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 2c808eb5..80e32767 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -65,8 +65,8 @@ strip_hpux_aging(char *hash)
}
}
-int
-verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
+PAMH_ARG_DECL(int verify_pwd_hash,
+ const char *p, char *hash, unsigned int nullok)
{
size_t hash_len;
char *pp = NULL;
@@ -116,11 +116,10 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
* pam_syslog() needs a pam handle,
* but that's not available here.
*/
- helper_log_err(LOG_ERR,
- "pam_unix(verify_pwd_hash): The method "
- "for computing the hash \"%.6s\" has been "
- "disabled in libcrypt by the preset from "
- "the system's vendor and/or administrator.",
+ pam_syslog(pamh, LOG_ERR,
+ "The support for password hash \"%.6s\" "
+ "has been disabled in libcrypt "
+ "configuration.",
hash);
}
/*
@@ -132,12 +131,15 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
* recent implementations of libcrypt.
*/
if (retval_checksalt == CRYPT_SALT_INVALID) {
- helper_log_err(LOG_ERR,
- "pam_unix(verify_pwd_hash): The hash \"%.6s\""
- "does not use a method known by the version "
- "of libcrypt this system is supplied with.",
+ pam_syslog(pamh, LOG_ERR,
+ "The password hash \"%.6s\" is unknown to "
+ "libcrypt.",
hash);
}
+#else
+#ifndef HELPER_COMPILE
+ (void)pamh;
+#endif
#endif
#ifdef HAVE_CRYPT_R
struct crypt_data *cdata;
diff --git a/modules/pam_unix/passverify.h b/modules/pam_unix/passverify.h
index 086c28ac..e9a88fbf 100644
--- a/modules/pam_unix/passverify.h
+++ b/modules/pam_unix/passverify.h
@@ -12,9 +12,6 @@
#define OLD_PASSWORDS_FILE "/etc/security/opasswd"
-int
-verify_pwd_hash(const char *p, char *hash, unsigned int nullok);
-
int
is_pwd_shadowed(const struct passwd *pwd);
@@ -65,6 +62,9 @@ read_passwords(int fd, int npass, char **passwords);
#define PAMH_ARG(...) pamh, __VA_ARGS__
#endif
+PAMH_ARG_DECL(int verify_pwd_hash,
+ const char *p, char *hash, unsigned int nullok);
+
PAMH_ARG_DECL(char * create_password_hash,
const char *password, unsigned long long ctrl, int rounds);
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 6894288d..ea5594d2 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -770,7 +770,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
}
}
} else {
- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
+ retval = verify_pwd_hash(pamh, p, salt, off(UNIX__NONULL, ctrl));
}
if (retval == PAM_SUCCESS) {

4
pam.spec
View File

@ -59,6 +59,8 @@ Patch41: pam-1.3.1-unix-no-fallback.patch
Patch42: pam-1.3.1-motd-multiple-paths.patch Patch42: pam-1.3.1-motd-multiple-paths.patch
# https://github.com/linux-pam/linux-pam/commit/86eed7ca01864b9fd17099e57f10f2b9b6b568a1 # https://github.com/linux-pam/linux-pam/commit/86eed7ca01864b9fd17099e57f10f2b9b6b568a1
Patch43: pam-1.3.1-unix-checksalt_syslog.patch Patch43: pam-1.3.1-unix-checksalt_syslog.patch
# https://github.com/linux-pam/linux-pam/commit/d8d11db2cef65da5d2afa7acf21aa9c8cd88abed
Patch44: pam-1.3.1-unix-fix_checksalt_syslog.patch
%global _pamlibdir %{_libdir} %global _pamlibdir %{_libdir}
%global _moduledir %{_libdir}/security %global _moduledir %{_libdir}/security
@ -149,6 +151,7 @@ cp %{SOURCE18} .
%patch41 -p1 -b .no-fallback %patch41 -p1 -b .no-fallback
%patch42 -p1 -b .multiple-paths %patch42 -p1 -b .multiple-paths
%patch43 -p1 -b .checksalt_syslog %patch43 -p1 -b .checksalt_syslog
%patch44 -p1 -b .fix_checksalt_syslog
autoreconf -i autoreconf -i
@ -393,6 +396,7 @@ done
%changelog %changelog
* Sun Dec 02 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-13 * Sun Dec 02 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-13
- Backport upstream commit reporting disabled or invalid hashes to syslog - Backport upstream commit reporting disabled or invalid hashes to syslog
- Backport upstream commit fixing syslog for disabled or invalid hashes
* Wed Nov 28 2018 Robert Fairley <rfairley@redhat.com> 1.3.1-12 * Wed Nov 28 2018 Robert Fairley <rfairley@redhat.com> 1.3.1-12
- Backport upstream commit pam_motd: Support multiple motd paths specified, with filename overrides (#69) - Backport upstream commit pam_motd: Support multiple motd paths specified, with filename overrides (#69)