rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- support for sha256 and sha512 password hashes

Browse Source 
- account expiry checks moved to unix_chkpwd helper
This commit is contained in:
Tomáš Mráz 2008-01-08 18:56:11 +00:00
parent b99939ffb4
commit c5d3ee3a3f
5 changed files with 2058 additions and 1031 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
pam-0.99.7.1-unix-hpux-aging.patch
View File

@ -1,77 +0,0 @@
o For non-extensible-style hashes, strip off anything after the 13th character
which would not be valid as part of a hash. On HP/UX, this clips off a comma
followed by encoded aging information.
The real problem is a complete lack of any standard for storing password
aging information (actually, for anything having to do with password aging)
for users across operating systems, but there's nothing we can do about that
here.
--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.unix-hpux-aging 2007-06-01 15:21:08.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-06-01 15:24:32.000000000 +0200
@@ -573,6 +573,21 @@
return retval;
}
+static void strip_hpux_aging(char *p)
+{
+ const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+ "0123456789./";
+ if ((*p != '$') && (strlen(p) > 13)) {
+ for (p += 13; *p != '\0'; p++) {
+ if (strchr(valid, *p) == NULL) {
+ *p = '\0';
+ break;
+ }
+ }
+ }
+}
+
int _unix_verify_password(pam_handle_t * pamh, const char *name
,const char *p, unsigned int ctrl)
{
@@ -679,7 +694,9 @@
}
}
} else {
- size_t salt_len = strlen(salt);
+ size_t salt_len;
+ strip_hpux_aging(salt);
+ salt_len = strlen(salt);
if (!salt_len) {
/* the stored password is NULL */
if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
--- Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c.unix-hpux-aging 2007-06-01 15:21:08.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c 2007-06-01 15:26:26.000000000 +0200
@@ -146,6 +146,22 @@
return i;
}
+static void
+strip_hpux_aging(char *p)
+{
+ const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+ "0123456789./";
+ if ((*p != '$') && (strlen(p) > 13)) {
+ for (p += 13; *p != '\0'; p++) {
+ if (strchr(valid, *p) == NULL) {
+ *p = '\0';
+ break;
+ }
+ }
+ }
+}
+
int
_unix_verify_password(const char *name, const char *p, int nullok)
{
@@ -194,6 +210,7 @@
return PAM_USER_UNKNOWN;
}
+ strip_hpux_aging(salt);
salt_len = strlen(salt);
if (salt_len == 0) {
return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;

64
pam-0.99.8.1-unix-blankpass.patch
View File

@ -1,64 +0,0 @@
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c
--- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass 2007-09-18 13:50:40.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c 2007-09-18 13:50:40.000000000 +0200
@@ -50,7 +50,7 @@ int main(int argc, char *argv[])
char pass[MAXPASS + 1];
char *option;
int npass, nullok;
- int force_failure = 0;
+ int blankpass = 0;
int retval = PAM_AUTH_ERR;
char *user;
char *passwords[] = { pass };
@@ -115,6 +115,10 @@ int main(int argc, char *argv[])
if (npass != 1) { /* is it a valid password? */
_log_err(LOG_DEBUG, "no valid password supplied");
}
+
+ if (*pass == '\0') {
+ blankpass = 1;
+ }
retval = _unix_verify_password(user, pass, nullok);
@@ -122,8 +126,11 @@ int main(int argc, char *argv[])
/* return pass or fail */
- if ((retval != PAM_SUCCESS) || force_failure) {
- _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
+ if (retval != PAM_SUCCESS) {
+ /* don't log if it is a test for blank password */
+ if (!blankpass) {
+ _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
+ }
return PAM_AUTH_ERR;
} else {
return PAM_SUCCESS;
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/support.c
--- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass 2007-09-18 13:50:40.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c 2007-09-18 17:56:57.000000000 +0200
@@ -38,6 +38,9 @@
const char app_name[]="pam_unix";
+static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ unsigned int ctrl, const char *user);
+
/* this is a front-end for module-application conversations */
int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
@@ -442,6 +445,13 @@ _unix_blankpasswd (pam_handle_t *pamh, u
* ...and shadow password file entry for this user,
* if shadowing is enabled
*/
+ if (geteuid() || SELINUX_ENABLED) {
+ /* We do not have direct access to shadow. Run helper. */
+ D(("running helper binary"));
+ if (_unix_run_helper_binary(pamh, "", ctrl, name) == PAM_SUCCESS)
+ return 1;
+ return 0;
+ }
spwdent = pam_modutil_getspnam(pamh, name);
}
if (spwdent)

50
pam-0.99.8.1-unix-hpux-aging.patch Normal file
View File

@ -0,0 +1,50 @@
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h.unix-hpux-aging Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h
--- Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h.unix-hpux-aging 2008-01-08 14:43:36.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h 2008-01-08 15:49:43.000000000 +0100
@@ -13,7 +13,7 @@
#define OLD_PASSWORDS_FILE "/etc/security/opasswd"
int
-verify_pwd_hash(const char *p, const char *hash, unsigned int nullok);
+verify_pwd_hash(const char *p, char *hash, unsigned int nullok);
int
is_pwd_shadowed(const struct passwd *pwd);
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c.unix-hpux-aging Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c
--- Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c.unix-hpux-aging 2008-01-08 14:43:36.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c 2008-01-08 15:49:02.000000000 +0100
@@ -44,14 +44,32 @@
# include "./lckpwdf.-c"
#endif
+static void
+strip_hpux_aging(char *p)
+{
+ const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+ "0123456789./";
+ if ((*p != '$') && (strlen(p) > 13)) {
+ for (p += 13; *p != '\0'; p++) {
+ if (strchr(valid, *p) == NULL) {
+ *p = '\0';
+ break;
+ }
+ }
+ }
+}
+
int
-verify_pwd_hash(const char *p, const char *hash, unsigned int nullok)
+verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
{
- size_t hash_len = strlen(hash);
+ size_t hash_len;
char *pp = NULL;
int retval;
D(("called"));
+ strip_hpux_aging(hash);
+ hash_len = strlen(hash);
if (!hash_len) {
/* the stored password is NULL */
if (nullok) { /* this means we've succeeded */

2621
pam-0.99.8.1-unix-update-helper.patch
View File

File diff suppressed because it is too large Load Diff

11
pam.spec
View File

@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications
Name: pam
Version: 0.99.8.1
Release: 13%{?dist}
Release: 14%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
# pam_rhosts_auth module is BSD with advertising
@ -32,8 +32,7 @@ Patch2: db-4.6.18-glibc.patch
Patch4: pam-0.99.8.1-dbpam.patch
Patch5: pam-0.99.8.1-audit-no-log.patch
Patch24: pam-0.99.8.1-unix-update-helper.patch
Patch25: pam-0.99.7.1-unix-hpux-aging.patch
Patch26: pam-0.99.8.1-unix-blankpass.patch
Patch25: pam-0.99.8.1-unix-hpux-aging.patch
Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
Patch32: pam-0.99.3.0-tally-fail-close.patch
Patch40: pam-0.99.7.1-namespace-temp-logon.patch
@ -107,7 +106,7 @@ popd
%patch5 -p1 -b .no-log
%patch24 -p1 -b .update-helper
%patch25 -p1 -b .unix-hpux-aging
%patch26 -p1 -b .blankpass
#%patch26 -p1 -b .blankpass
%patch31 -p1 -b .try-first-pass
%patch32 -p1 -b .fail-close
%patch40 -p1 -b .temp-logon
@ -414,6 +413,10 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Wed Jan 8 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-14
- support for sha256 and sha512 password hashes
- account expiry checks moved to unix_chkpwd helper
* Wed Jan 2 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-13
- wildcard match support in pam_tty_audit (by Miloslav Trmač)