From f3b728d2c90550e81c24be280b2d8c063358ae39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sun, 2 Dec 2018 20:09:02 +0100 Subject: [PATCH] Backport upstream commit reporting disabled or invalid hashes to syslog --- pam-1.3.1-unix-checksalt_syslog.patch | 73 +++++++++++++++++++++++++++ pam.spec | 8 ++- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 pam-1.3.1-unix-checksalt_syslog.patch diff --git a/pam-1.3.1-unix-checksalt_syslog.patch b/pam-1.3.1-unix-checksalt_syslog.patch new file mode 100644 index 0000000..5cbc35b --- /dev/null +++ b/pam-1.3.1-unix-checksalt_syslog.patch @@ -0,0 +1,73 @@ +From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= +Date: Mon, 26 Nov 2018 22:33:17 +0100 +Subject: [PATCH] pam_unix: Report unusable hashes found by checksalt to + syslog. + +libxcrypt can be build-time configured to support (or not support) +various hashing methods. Future versions will also have support for +runtime configuration by the system's vendor and/or administrator. + +For that reason adminstrator should be notified by pam if users cannot +log into their account anymore because of such a change in the system's +configuration of libxcrypt. + +Also check for malformed hashes, like descrypt hashes starting with +"$2...", which might have been generated by unsafe base64 encoding +functions as used in glibc <= 2.16. +Such hashes are likely to be rejected by many recent implementations +of libcrypt. + +* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable +hashes found by checksalt to syslog. +--- + modules/pam_unix/passverify.c | 36 +++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index eb2444bb..2c808eb5 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) + * Ok, we don't know the crypt algorithm, but maybe + * libcrypt knows about it? We should try it. + */ ++#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE ++ /* Get the status of the hash from checksalt */ ++ int retval_checksalt = crypt_checksalt(hash); ++ ++ /* ++ * Check for hashing methods that are disabled by ++ * libcrypt configuration and/or system preset. ++ */ ++ if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) { ++ /* ++ * pam_syslog() needs a pam handle, ++ * but that's not available here. ++ */ ++ helper_log_err(LOG_ERR, ++ "pam_unix(verify_pwd_hash): The method " ++ "for computing the hash \"%.6s\" has been " ++ "disabled in libcrypt by the preset from " ++ "the system's vendor and/or administrator.", ++ hash); ++ } ++ /* ++ * Check for malformed hashes, like descrypt hashes ++ * starting with "$2...", which might have been ++ * generated by unsafe base64 encoding functions ++ * as used in glibc <= 2.16. ++ * Such hashes are likely to be rejected by many ++ * recent implementations of libcrypt. ++ */ ++ if (retval_checksalt == CRYPT_SALT_INVALID) { ++ helper_log_err(LOG_ERR, ++ "pam_unix(verify_pwd_hash): The hash \"%.6s\"" ++ "does not use a method known by the version " ++ "of libcrypt this system is supplied with.", ++ hash); ++ } ++#endif + #ifdef HAVE_CRYPT_R + struct crypt_data *cdata; + cdata = malloc(sizeof(*cdata)); diff --git a/pam.spec b/pam.spec index 50e7e18..022b2f6 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 12%{?dist} +Release: 13%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -57,6 +57,8 @@ Patch41: pam-1.3.1-unix-no-fallback.patch # https://github.com/linux-pam/linux-pam/commit/f9c9c72121eada731e010ab3620762bcf63db08f # https://github.com/linux-pam/linux-pam/commit/8eaf5570cf011148a0b55c53570df5edaafebdb0 Patch42: pam-1.3.1-motd-multiple-paths.patch +# https://github.com/linux-pam/linux-pam/commit/86eed7ca01864b9fd17099e57f10f2b9b6b568a1 +Patch43: pam-1.3.1-unix-checksalt_syslog.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -146,6 +148,7 @@ cp %{SOURCE18} . %patch40 -p1 -b .yescrypt %patch41 -p1 -b .no-fallback %patch42 -p1 -b .multiple-paths +%patch43 -p1 -b .checksalt_syslog autoreconf -i @@ -388,6 +391,9 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Sun Dec 02 2018 Björn Esser - 1.3.1-13 +- Backport upstream commit reporting disabled or invalid hashes to syslog + * Wed Nov 28 2018 Robert Fairley 1.3.1-12 - Backport upstream commit pam_motd: Support multiple motd paths specified, with filename overrides (#69) - Backport upstream commit pam_motd: Fix segmentation fault when no motd_dir specified (#76)