|
 |
6eff681 |
From f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016 Mon Sep 17 00:00:00 2001
|
|
|
6eff681 |
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
|
|
|
6eff681 |
Date: Thu, 15 Nov 2018 15:01:57 +0100
|
|
|
6eff681 |
Subject: [PATCH] pam_unix: Use bcrypt b-variant for computing new hashes.
|
|
|
6eff681 |
|
|
|
6eff681 |
Bcrypt hashes used the "$2a$" prefix since 1997.
|
|
|
6eff681 |
However, in 2011 an implementation bug was discovered in bcrypt
|
|
|
6eff681 |
affecting the handling of characters in passphrases with the 8th
|
|
|
6eff681 |
bit set.
|
|
|
6eff681 |
|
|
|
6eff681 |
Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
|
|
|
6eff681 |
for a behavior that exactly matches crypt_blowfish's "$2y$", and
|
|
|
6eff681 |
the crypt_blowfish implementation supports it as well since v1.1.
|
|
|
6eff681 |
|
|
|
6eff681 |
That said new computed bcrypt hashes should use the "$2b$" prefix.
|
|
|
6eff681 |
|
|
|
6eff681 |
* modules/pam_unix/passverify.c: Use bcrypt b-variant.
|
|
|
6eff681 |
---
|
|
|
6eff681 |
modules/pam_unix/passverify.c | 2 +-
|
|
|
6eff681 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
6eff681 |
|
|
|
6eff681 |
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
|
6eff681 |
index 9c1771e2..1f433b3a 100644
|
|
|
6eff681 |
--- a/modules/pam_unix/passverify.c
|
|
|
6eff681 |
+++ b/modules/pam_unix/passverify.c
|
|
|
6eff681 |
@@ -385,7 +385,7 @@ PAMH_ARG_DECL(char * create_password_hash,
|
|
|
6eff681 |
/* algoid = "$1" */
|
|
|
6eff681 |
return crypt_md5_wrapper(password);
|
|
|
6eff681 |
} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
|
|
|
6eff681 |
- algoid = "$2a$";
|
|
|
6eff681 |
+ algoid = "$2b$";
|
|
|
6eff681 |
} else if (on(UNIX_SHA256_PASS, ctrl)) {
|
|
|
6eff681 |
algoid = "$5$";
|
|
|
6eff681 |
} else if (on(UNIX_SHA512_PASS, ctrl)) {
|