diff options
| author | Iker Pedrosa <ipedrosa@redhat.com> | 2021-03-25 09:43:30 +0100 |
|---|---|---|
| committer | Tomáš Mráz <tm@t8m.info> | 2021-06-14 09:02:16 +0200 |
| commit | b3bb13e18a74e9ece825b7de1b81db97ebb107a0 (patch) | |
| tree | b7f5f2da9310169c210ab204ff2c72d815d6fe6f /modules/pam_timestamp/pam_timestamp.8.xml | |
| parent | f668b437910af0e1472e9bbfa78897df52f57a78 (diff) | |
pam_timestamp: replace hmac implementation
sha1 is no longer recommended as a cryptographic algorithm for
authentication. Thus, the idea of this change is to replace the
implementation provided by hmacsha1 included in pam_timestamp module by
the one in the openssl library. This way, there's no need to maintain
the cryptographic algorithm implementation and it can be easily changed
with a single configuration change.
modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper
functions around openssl's hmac implementation. Moreover, manage the key
generation and its read and write in a file. Include an option to
configure the cryptographic algorithm in login.defs file.
modules/pam_timestamp/hmac_openssl_wrapper.h: likewise.
modules/pam_timestamp/pam_timestamp.c: replace calls to functions
provided by hmacsha1 by functions provided by openssl's wrapper.
configure.ac: include openssl dependecy if it is enabled.
modules/pam_timestamp/Makefile.am: include new files and openssl library
to compilation.
ci/install-dependencies.sh: include openssl library to dependencies.
NEWS: add new item to next release.
Make.xml.rules.in: add stringparam profiling for hmac
doc/custom-man.xsl: change import docbook to one with profiling
modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to
indicate the value in /etc/login.defs that holds the value for the
encryption algorithm
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294
Diffstat (limited to 'modules/pam_timestamp/pam_timestamp.8.xml')
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp.8.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml index e19a0bcf..83e5aea8 100644 --- a/modules/pam_timestamp/pam_timestamp.8.xml +++ b/modules/pam_timestamp/pam_timestamp.8.xml @@ -50,6 +50,11 @@ for the user. When an application attempts to authenticate the user, a <emphasis>pam_timestamp</emphasis> will treat a sufficiently recent timestamp file as grounds for succeeding. </para> + <para condition="openssl_hmac"> + The default encryption hash is taken from the + <emphasis remap='B'>HMAC_CRYPTO_ALGO</emphasis> variable from + <emphasis>/etc/login.defs</emphasis>. + </para> </refsect1> <refsect1 id="pam_timestamp-options"> |