summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomas Mraz <tmraz@fedoraproject.org>2018-11-27 11:54:23 +0100
committerTomas Mraz <tmraz@fedoraproject.org>2018-11-27 11:54:23 +0100
commit396ef3a1c93457fe66391627eb996b920be94fb2 (patch)
tree77183b6e21b2d96e9b845dc415f6f9c0b9a5ec3d
parentad435b386b22b456724dc5c5b8d9f2d1beffc558 (diff)
Revert "pam_unix: Add crypt_default method, if supported."
This reverts commit ad435b386b22b456724dc5c5b8d9f2d1beffc558.
-rw-r--r--modules/pam_unix/pam_unix.8.xml20
-rw-r--r--modules/pam_unix/passverify.c9
-rw-r--r--modules/pam_unix/support.h22
3 files changed, 10 insertions, 41 deletions
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index 82e0c9af..cae2aeaa 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -363,23 +363,6 @@
</varlistentry>
<varlistentry>
<term>
- <option>crypt_default</option>
- </term>
- <listitem>
- <para>
- When a user changes their password next,
- encrypt it with the default algorithm and the default
- amount of rounds provided by the system configuration
- of libcrypt. If this default algorithm is not known to
- the <citerefentry>
- <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function,
- fall back to MD5.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
<option>rounds=<replaceable>n</replaceable></option>
</term>
<listitem>
@@ -388,9 +371,6 @@
blowfish, gost-yescrypt, and yescrypt password hashing
algorithms to
<replaceable>n</replaceable>.
- This option will be ignored when the crypt_default option
- is used, as the default algorithm always uses the value
- from the system configuration of libcrypt.
</para>
</listitem>
</varlistentry>
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 0a4c67b4..eb2444bb 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -395,14 +395,6 @@ PAMH_ARG_DECL(char * create_password_hash,
if (on(UNIX_MD5_PASS, ctrl)) {
/* algoid = "$1" */
return crypt_md5_wrapper(password);
-#if (defined(CRYPT_PREFERRED_METHOD_AVAILABLE) && CRYPT_PREFERRED_METHOD_AVAILABLE)
- } else if (on(UNIX_CRYPT_DEFAULT_PASS, ctrl)
- && crypt_preferred_method() != NULL) {
- algoid = crypt_preferred_method();
- rounds = 0; /* always use the system preset */
-#endif
- } else if (on(UNIX_CRYPT_DEFAULT_PASS, ctrl)) {
- algoid = "*0"; /* never ever a valid method */
} else if (on(UNIX_YESCRYPT_PASS, ctrl)) {
algoid = "$y$";
} else if (on(UNIX_GOST_YESCRYPT_PASS, ctrl)) {
@@ -469,7 +461,6 @@ PAMH_ARG_DECL(char * create_password_hash,
pam_syslog(pamh, LOG_ERR,
"Algo %s not supported by the crypto backend, "
"falling back to MD5\n",
- on(UNIX_CRYPT_DEFAULT_PASS, ctrl) ? "crypt_default \"" algoid "\"" :
on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" :
on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" :
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 60a5872d..e02c05e0 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -100,11 +100,10 @@ typedef struct {
#define UNIX_DES 30 /* DES, default */
#define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */
#define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
-#define UNIX_CRYPT_DEFAULT_PASS 33 /* new password hashes will use the libcrypt default */
/* -------------- */
-#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 33 /* number of ctrl arguments defined */
-#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl)&&off(UNIX_CRYPT_DEFAULT_PASS,ctrl))
+#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
{
@@ -124,27 +123,26 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
-/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(035660420000ULL), 020000, 1},
+/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1},
/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0},
/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
-/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(035660420000ULL), 0400000, 1},
+/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1},
/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
-/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(035660420000ULL), 020000000, 1},
-/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(035660420000ULL), 040000000, 1},
+/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1},
+/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1},
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
-/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(035660420000ULL), 0200000000, 1},
+/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
-/* UNIX_DES */ {"des", _ALL_ON_^(035660420000ULL), 0, 1},
-/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(035660420000ULL), 04000000000, 1},
-/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(035660420000ULL), 010000000000, 1},
-/* UNIX_CRYPT_DEFAULT_PASS */ {"crypt_default", _ALL_ON_^(035660420000ULL), 020000000000, 1},
+/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1},
+/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1},
+/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)