From 65c004f60444a39283e43fe8a58d1a142695a85a Mon Sep 17 00:00:00 2001 From: Björn Esser Date: Nov 23 2018 09:17:17 +0000 Subject: Backport upstream commit using crypt_checksalt for password aging --- diff --git a/pam-1.3.1-unix-crypt_checksalt.patch b/pam-1.3.1-unix-crypt_checksalt.patch new file mode 100644 index 0000000..535cf37 --- /dev/null +++ b/pam-1.3.1-unix-crypt_checksalt.patch @@ -0,0 +1,60 @@ +From 62425bf2a0c72d0e23139d0b285547a7add26251 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= +Date: Thu, 15 Nov 2018 19:49:44 +0100 +Subject: [PATCH] pam_unix: Add support for crypt_checksalt, if libcrypt + supports it. + +libxcrypt v4.3 has added the crypt_checksalt function to whether +the prefix at the begining of a given hash string refers to a +supported hashing method. + +Future revisions of this function will add support to check whether +the hashing method, the prefix refers to, was disabled or considered +deprecated by the system's factory presets or system administrator. +Furthermore it will be able to detect whether the parameters, which +are used by the corresponding hashing method, being encoded in the +hash string are not considered to be strong enough anymore. + +*modules/pam_unix/passverify.c: Add support for crypt_checksalt. +--- + modules/pam_unix/passverify.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index 1f433b3a..6132130a 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -244,7 +244,13 @@ PAMH_ARG_DECL(int check_shadow_expiry, + D(("account expired")); + return PAM_ACCT_EXPIRED; + } ++#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE ++ if (spent->sp_lstchg == 0 || ++ crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY || ++ crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) { ++#else + if (spent->sp_lstchg == 0) { ++#endif + D(("need a new password")); + *daysleft = 0; + return PAM_NEW_AUTHTOK_REQD; +@@ -255,10 +261,19 @@ PAMH_ARG_DECL(int check_shadow_expiry, + spent->sp_namp); + return PAM_SUCCESS; + } ++#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE ++ if (((curdays - spent->sp_lstchg > spent->sp_max) ++ && (curdays - spent->sp_lstchg > spent->sp_inact) ++ && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) ++ && (spent->sp_max != -1) && (spent->sp_inact != -1)) ++ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED) ++ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) { ++#else + if ((curdays - spent->sp_lstchg > spent->sp_max) + && (curdays - spent->sp_lstchg > spent->sp_inact) + && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) + && (spent->sp_max != -1) && (spent->sp_inact != -1)) { ++#endif + *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); + D(("authtok expired")); + return PAM_AUTHTOK_EXPIRED; diff --git a/pam.spec b/pam.spec index beeb8f5..0471891 100644 --- a/pam.spec +++ b/pam.spec @@ -50,6 +50,8 @@ Patch36: pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch Patch37: pam-1.3.1-unix-bcrypt_b.patch # https://github.com/linux-pam/linux-pam/commit/dce80b3f11b3c3aa137d18f22699809094dd64b6 Patch38: pam-1.3.1-unix-gensalt-autoentropy.patch +# https://github.com/linux-pam/linux-pam/commit/4da9febc39b955892a30686e8396785b96bb8ba5 +Patch39: pam-1.3.1-unix-crypt_checksalt.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -136,6 +138,7 @@ cp %{SOURCE18} . %patch36 -p1 -b .remove-prototype %patch37 -p1 -b .bcrypt_b %patch38 -p1 -b .gensalt-autoentropy +%patch39 -p1 -b .crypt_checksalt autoreconf -i @@ -382,6 +385,7 @@ done - Backport upstream commit removing an obsolete prototype - Backport upstream commit preferring bcrypt_b ($2b$) for blowfish - Backport upstream commit preferring gensalt with autoentropy +- Backport upstream commit using crypt_checksalt for password aging * Fri Nov 16 2018 Björn Esser - 1.3.1-8 - Use %%ldconfig_scriptlets