rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport upstream commit reporting disabled or invalid hashes to syslog

Browse Source
This commit is contained in:
Björn Esser 2018-12-02 20:09:02 +01:00
parent 8bab4e7fac
commit f3b728d2c9
No known key found for this signature in database
GPG Key ID: F52E98007594C21D
2 changed files with 80 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
pam-1.3.1-unix-checksalt_syslog.patch Normal file
View File

@ -0,0 +1,73 @@
From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Mon, 26 Nov 2018 22:33:17 +0100
Subject: [PATCH] pam_unix: Report unusable hashes found by checksalt to
syslog.
libxcrypt can be build-time configured to support (or not support)
various hashing methods. Future versions will also have support for
runtime configuration by the system's vendor and/or administrator.
For that reason adminstrator should be notified by pam if users cannot
log into their account anymore because of such a change in the system's
configuration of libxcrypt.
Also check for malformed hashes, like descrypt hashes starting with
"$2...", which might have been generated by unsafe base64 encoding
functions as used in glibc <= 2.16.
Such hashes are likely to be rejected by many recent implementations
of libcrypt.
* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
hashes found by checksalt to syslog.
---
modules/pam_unix/passverify.c | 36 +++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index eb2444bb..2c808eb5 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
* Ok, we don't know the crypt algorithm, but maybe
* libcrypt knows about it? We should try it.
*/
+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+ /* Get the status of the hash from checksalt */
+ int retval_checksalt = crypt_checksalt(hash);
+
+ /*
+ * Check for hashing methods that are disabled by
+ * libcrypt configuration and/or system preset.
+ */
+ if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) {
+ /*
+ * pam_syslog() needs a pam handle,
+ * but that's not available here.
+ */
+ helper_log_err(LOG_ERR,
+ "pam_unix(verify_pwd_hash): The method "
+ "for computing the hash \"%.6s\" has been "
+ "disabled in libcrypt by the preset from "
+ "the system's vendor and/or administrator.",
+ hash);
+ }
+ /*
+ * Check for malformed hashes, like descrypt hashes
+ * starting with "$2...", which might have been
+ * generated by unsafe base64 encoding functions
+ * as used in glibc <= 2.16.
+ * Such hashes are likely to be rejected by many
+ * recent implementations of libcrypt.
+ */
+ if (retval_checksalt == CRYPT_SALT_INVALID) {
+ helper_log_err(LOG_ERR,
+ "pam_unix(verify_pwd_hash): The hash \"%.6s\""
+ "does not use a method known by the version "
+ "of libcrypt this system is supplied with.",
+ hash);
+ }
+#endif
#ifdef HAVE_CRYPT_R
struct crypt_data *cdata;
cdata = malloc(sizeof(*cdata));

8
pam.spec
View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.3.1
Release: 12%{?dist}
Release: 13%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -57,6 +57,8 @@ Patch41: pam-1.3.1-unix-no-fallback.patch
# https://github.com/linux-pam/linux-pam/commit/f9c9c72121eada731e010ab3620762bcf63db08f
# https://github.com/linux-pam/linux-pam/commit/8eaf5570cf011148a0b55c53570df5edaafebdb0
Patch42: pam-1.3.1-motd-multiple-paths.patch
# https://github.com/linux-pam/linux-pam/commit/86eed7ca01864b9fd17099e57f10f2b9b6b568a1
Patch43: pam-1.3.1-unix-checksalt_syslog.patch
%global _pamlibdir %{_libdir}
%global _moduledir %{_libdir}/security
@ -146,6 +148,7 @@ cp %{SOURCE18} .
%patch40 -p1 -b .yescrypt
%patch41 -p1 -b .no-fallback
%patch42 -p1 -b .multiple-paths
%patch43 -p1 -b .checksalt_syslog
autoreconf -i
@ -388,6 +391,9 @@ done
%doc doc/specs/rfc86.0.txt
%changelog
* Sun Dec 02 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-13
- Backport upstream commit reporting disabled or invalid hashes to syslog
* Wed Nov 28 2018 Robert Fairley <rfairley@redhat.com> 1.3.1-12
- Backport upstream commit pam_motd: Support multiple motd paths specified, with filename overrides (#69)
- Backport upstream commit pam_motd: Fix segmentation fault when no motd_dir specified (#76)