40 lines
1.4 KiB
Diff
40 lines
1.4 KiB
Diff
From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001
|
|
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
|
Date: Thu, 10 Jun 2021 14:00:00 +0000
|
|
Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for
|
|
password expiration
|
|
|
|
According to Zack Weinberg, the intended meaning of
|
|
CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
|
|
method", it is not supposed to mean "force a password change on next
|
|
login for any user with an existing stored hash using this method".
|
|
|
|
This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
|
|
|
|
* modules/pam_unix/passverify.c (check_shadow_expiry)
|
|
[CRYPT_CHECKSALT_AVAILABLE]: Remove.
|
|
|
|
Closes: https://github.com/linux-pam/linux-pam/issues/367
|
|
---
|
|
modules/pam_unix/passverify.c | 6 ------
|
|
1 file changed, 6 deletions(-)
|
|
|
|
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
index f6132f80..5a19ed85 100644
|
|
--- a/modules/pam_unix/passverify.c
|
|
+++ b/modules/pam_unix/passverify.c
|
|
@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
|
|
D(("account expired"));
|
|
return PAM_ACCT_EXPIRED;
|
|
}
|
|
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
|
|
- if (spent->sp_lstchg == 0 ||
|
|
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
|
|
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
|
|
-#else
|
|
if (spent->sp_lstchg == 0) {
|
|
-#endif
|
|
D(("need a new password"));
|
|
*daysleft = 0;
|
|
return PAM_NEW_AUTHTOK_REQD;
|