74 lines
2.8 KiB
Diff
74 lines
2.8 KiB
Diff
From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
|
|
Date: Mon, 26 Nov 2018 22:33:17 +0100
|
|
Subject: [PATCH] pam_unix: Report unusable hashes found by checksalt to
|
|
syslog.
|
|
|
|
libxcrypt can be build-time configured to support (or not support)
|
|
various hashing methods. Future versions will also have support for
|
|
runtime configuration by the system's vendor and/or administrator.
|
|
|
|
For that reason adminstrator should be notified by pam if users cannot
|
|
log into their account anymore because of such a change in the system's
|
|
configuration of libxcrypt.
|
|
|
|
Also check for malformed hashes, like descrypt hashes starting with
|
|
"$2...", which might have been generated by unsafe base64 encoding
|
|
functions as used in glibc <= 2.16.
|
|
Such hashes are likely to be rejected by many recent implementations
|
|
of libcrypt.
|
|
|
|
* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
|
|
hashes found by checksalt to syslog.
|
|
---
|
|
modules/pam_unix/passverify.c | 36 +++++++++++++++++++++++++++++++++++
|
|
1 file changed, 36 insertions(+)
|
|
|
|
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
index eb2444bb..2c808eb5 100644
|
|
--- a/modules/pam_unix/passverify.c
|
|
+++ b/modules/pam_unix/passverify.c
|
|
@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
|
|
* Ok, we don't know the crypt algorithm, but maybe
|
|
* libcrypt knows about it? We should try it.
|
|
*/
|
|
+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
|
|
+ /* Get the status of the hash from checksalt */
|
|
+ int retval_checksalt = crypt_checksalt(hash);
|
|
+
|
|
+ /*
|
|
+ * Check for hashing methods that are disabled by
|
|
+ * libcrypt configuration and/or system preset.
|
|
+ */
|
|
+ if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) {
|
|
+ /*
|
|
+ * pam_syslog() needs a pam handle,
|
|
+ * but that's not available here.
|
|
+ */
|
|
+ helper_log_err(LOG_ERR,
|
|
+ "pam_unix(verify_pwd_hash): The method "
|
|
+ "for computing the hash \"%.6s\" has been "
|
|
+ "disabled in libcrypt by the preset from "
|
|
+ "the system's vendor and/or administrator.",
|
|
+ hash);
|
|
+ }
|
|
+ /*
|
|
+ * Check for malformed hashes, like descrypt hashes
|
|
+ * starting with "$2...", which might have been
|
|
+ * generated by unsafe base64 encoding functions
|
|
+ * as used in glibc <= 2.16.
|
|
+ * Such hashes are likely to be rejected by many
|
|
+ * recent implementations of libcrypt.
|
|
+ */
|
|
+ if (retval_checksalt == CRYPT_SALT_INVALID) {
|
|
+ helper_log_err(LOG_ERR,
|
|
+ "pam_unix(verify_pwd_hash): The hash \"%.6s\""
|
|
+ "does not use a method known by the version "
|
|
+ "of libcrypt this system is supplied with.",
|
|
+ hash);
|
|
+ }
|
|
+#endif
|
|
#ifdef HAVE_CRYPT_R
|
|
struct crypt_data *cdata;
|
|
cdata = malloc(sizeof(*cdata));
|