- support for sha256 and sha512 password hashes

- account expiry checks moved to unix_chkpwd helper

pam-0.99.7.1-unix-hpux-aging.patch

@@ -1,77 +0,0 @@
-o For non-extensible-style hashes, strip off anything after the 13th character
-  which would not be valid as part of a hash.  On HP/UX, this clips off a comma
-  followed by encoded aging information.
-
-  The real problem is a complete lack of any standard for storing password
-  aging information (actually, for anything having to do with password aging)
-  for users across operating systems, but there's nothing we can do about that
-  here.
-
---- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.unix-hpux-aging	2007-06-01 15:21:08.000000000 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c	2007-06-01 15:24:32.000000000 +0200
-@@ -573,6 +573,21 @@
-     return retval;
- }
- 
-+static void strip_hpux_aging(char *p)
-+{
-+	const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-+			    "abcdefghijklmnopqrstuvwxyz"
-+			    "0123456789./";
-+	if ((*p != '$') && (strlen(p) > 13)) {
-+		for (p += 13; *p != '\0'; p++) {
-+			if (strchr(valid, *p) == NULL) {
-+				*p = '\0';
-+				break;
-+			}
-+		}
-+	}
-+}
-+
- int _unix_verify_password(pam_handle_t * pamh, const char *name
- 			  ,const char *p, unsigned int ctrl)
- {
-@@ -679,7 +694,9 @@
- 			}
- 		}
- 	} else {
--	    size_t salt_len = strlen(salt);
-+	    size_t salt_len;
-+	    strip_hpux_aging(salt);
-+	    salt_len = strlen(salt);
- 	    if (!salt_len) {
- 		/* the stored password is NULL */
- 		if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
---- Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c.unix-hpux-aging	2007-06-01 15:21:08.000000000 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c	2007-06-01 15:26:26.000000000 +0200
-@@ -146,6 +146,22 @@
- 	return i;
- }
- 
-+static void
-+strip_hpux_aging(char *p)
-+{
-+	const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-+			    "abcdefghijklmnopqrstuvwxyz"
-+			    "0123456789./";
-+	if ((*p != '$') && (strlen(p) > 13)) {
-+		for (p += 13; *p != '\0'; p++) {
-+			if (strchr(valid, *p) == NULL) {
-+				*p = '\0';
-+				break;
-+			}
-+		}
-+	}
-+}
-+
- int
- _unix_verify_password(const char *name, const char *p, int nullok)
- {
-@@ -194,6 +210,7 @@
- 		return PAM_USER_UNKNOWN;
- 	}
- 
-+	strip_hpux_aging(salt);
- 	salt_len = strlen(salt);
- 	if (salt_len == 0) {
- 		return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;

pam-0.99.8.1-unix-blankpass.patch

@@ -1,64 +0,0 @@
-diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c
---- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass	2007-09-18 13:50:40.000000000 +0200
-+++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c	2007-09-18 13:50:40.000000000 +0200
-@@ -50,7 +50,7 @@ int main(int argc, char *argv[])
- 	char pass[MAXPASS + 1];
- 	char *option;
- 	int npass, nullok;
--	int force_failure = 0;
-+	int blankpass = 0;
- 	int retval = PAM_AUTH_ERR;
- 	char *user;
- 	char *passwords[] = { pass };
-@@ -115,6 +115,10 @@ int main(int argc, char *argv[])
- 	if (npass != 1) {	/* is it a valid password? */
- 		_log_err(LOG_DEBUG, "no valid password supplied");
- 	}
-+	
-+	if (*pass == '\0') {
-+		blankpass = 1;
-+	}
- 
- 	retval = _unix_verify_password(user, pass, nullok);
- 
-@@ -122,8 +126,11 @@ int main(int argc, char *argv[])
- 
- 	/* return pass or fail */
- 
--	if ((retval != PAM_SUCCESS) || force_failure) {
--	    _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
-+	if (retval != PAM_SUCCESS) {
-+	    /* don't log if it is a test for blank password */
-+	    if (!blankpass) {
-+		_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
-+	    }
- 	    return PAM_AUTH_ERR;
- 	} else {
- 	    return PAM_SUCCESS;
-diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/support.c
---- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass	2007-09-18 13:50:40.000000000 +0200
-+++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c	2007-09-18 17:56:57.000000000 +0200
-@@ -38,6 +38,9 @@
- 
- const char app_name[]="pam_unix";
- 
-+static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
-+				   unsigned int ctrl, const char *user);
-+
- /* this is a front-end for module-application conversations */
- 
- int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
-@@ -442,6 +445,13 @@ _unix_blankpasswd (pam_handle_t *pamh, u
- 			 * ...and shadow password file entry for this user,
- 			 * if shadowing is enabled
- 			 */
-+			if (geteuid() || SELINUX_ENABLED) {
-+				/* We do not have direct access to shadow. Run helper. */
-+				D(("running helper binary"));
-+				if (_unix_run_helper_binary(pamh, "", ctrl, name) == PAM_SUCCESS)
-+					return 1;
-+				return 0;
-+			}
- 			spwdent = pam_modutil_getspnam(pamh, name);
- 		}
- 		if (spwdent)

pam-0.99.8.1-unix-hpux-aging.patch

@@ -0,0 +1,50 @@
+diff -up Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h.unix-hpux-aging Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h
+--- Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h.unix-hpux-aging	2008-01-08 14:43:36.000000000 +0100
++++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h	2008-01-08 15:49:43.000000000 +0100
+@@ -13,7 +13,7 @@
+ #define OLD_PASSWORDS_FILE      "/etc/security/opasswd"
+ 
+ int
+-verify_pwd_hash(const char *p, const char *hash, unsigned int nullok);
++verify_pwd_hash(const char *p, char *hash, unsigned int nullok);
+ 
+ int
+ is_pwd_shadowed(const struct passwd *pwd);
+diff -up Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c.unix-hpux-aging Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c
+--- Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c.unix-hpux-aging	2008-01-08 14:43:36.000000000 +0100
++++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c	2008-01-08 15:49:02.000000000 +0100
+@@ -44,14 +44,32 @@
+ # include "./lckpwdf.-c"
+ #endif
+ 
++static void
++strip_hpux_aging(char *p)
++{
++	const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
++			    "abcdefghijklmnopqrstuvwxyz"
++			    "0123456789./";
++	if ((*p != '$') && (strlen(p) > 13)) {
++		for (p += 13; *p != '\0'; p++) {
++			if (strchr(valid, *p) == NULL) {
++				*p = '\0';
++				break;
++			}
++		}
++	}
++}
++
+ int
+-verify_pwd_hash(const char *p, const char *hash, unsigned int nullok)
++verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
+ {
+-	size_t hash_len = strlen(hash);
++	size_t hash_len;
+ 	char *pp = NULL;
+ 	int retval;
+ 	D(("called"));
+ 
++	strip_hpux_aging(hash);
++	hash_len = strlen(hash);
+ 	if (!hash_len) {
+ 		/* the stored password is NULL */
+ 		if (nullok) { /* this means we've succeeded */

pam.spec

@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.8.1
-Release: 13%{?dist}
+Release: 14%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -32,8 +32,7 @@ Patch2:  db-4.6.18-glibc.patch
 Patch4:  pam-0.99.8.1-dbpam.patch
 Patch5:  pam-0.99.8.1-audit-no-log.patch
 Patch24: pam-0.99.8.1-unix-update-helper.patch
-Patch25: pam-0.99.7.1-unix-hpux-aging.patch
+Patch25: pam-0.99.8.1-unix-hpux-aging.patch
-Patch26: pam-0.99.8.1-unix-blankpass.patch
 Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch32: pam-0.99.3.0-tally-fail-close.patch
 Patch40: pam-0.99.7.1-namespace-temp-logon.patch
@@ -107,7 +106,7 @@ popd
 %patch5 -p1 -b .no-log
 %patch24 -p1 -b .update-helper
 %patch25 -p1 -b .unix-hpux-aging
-%patch26 -p1 -b .blankpass
+#%patch26 -p1 -b .blankpass
 %patch31 -p1 -b .try-first-pass
 %patch32 -p1 -b .fail-close
 %patch40 -p1 -b .temp-logon
@@ -414,6 +413,10 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Wed Jan  8 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-14
+- support for sha256 and sha512 password hashes
+- account expiry checks moved to unix_chkpwd helper
+
 * Wed Jan  2 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-13
 - wildcard match support in pam_tty_audit (by Miloslav Trmač)