summaryrefslogtreecommitdiff
path: root/modules/pam_unix
diff options
context:
space:
mode:
authorBjörn Esser <besser82@fedoraproject.org>2018-11-26 22:33:17 +0100
committerTomáš Mráz <t8m@users.noreply.github.com>2018-11-27 13:29:53 +0100
commit86eed7ca01864b9fd17099e57f10f2b9b6b568a1 (patch)
treeaa81e82644f48122d9e7d1ef4866c7e80dbfcf2d /modules/pam_unix
parent396ef3a1c93457fe66391627eb996b920be94fb2 (diff)
pam_unix: Report unusable hashes found by checksalt to syslog.
libxcrypt can be build-time configured to support (or not support) various hashing methods. Future versions will also have support for runtime configuration by the system's vendor and/or administrator. For that reason adminstrator should be notified by pam if users cannot log into their account anymore because of such a change in the system's configuration of libxcrypt. Also check for malformed hashes, like descrypt hashes starting with "$2...", which might have been generated by unsafe base64 encoding functions as used in glibc <= 2.16. Such hashes are likely to be rejected by many recent implementations of libcrypt. * modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable hashes found by checksalt to syslog.
Diffstat (limited to 'modules/pam_unix')
-rw-r--r--modules/pam_unix/passverify.c36
1 files changed, 36 insertions, 0 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index eb2444bb..2c808eb5 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
* Ok, we don't know the crypt algorithm, but maybe
* libcrypt knows about it? We should try it.
*/
+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+ /* Get the status of the hash from checksalt */
+ int retval_checksalt = crypt_checksalt(hash);
+
+ /*
+ * Check for hashing methods that are disabled by
+ * libcrypt configuration and/or system preset.
+ */
+ if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) {
+ /*
+ * pam_syslog() needs a pam handle,
+ * but that's not available here.
+ */
+ helper_log_err(LOG_ERR,
+ "pam_unix(verify_pwd_hash): The method "
+ "for computing the hash \"%.6s\" has been "
+ "disabled in libcrypt by the preset from "
+ "the system's vendor and/or administrator.",
+ hash);
+ }
+ /*
+ * Check for malformed hashes, like descrypt hashes
+ * starting with "$2...", which might have been
+ * generated by unsafe base64 encoding functions
+ * as used in glibc <= 2.16.
+ * Such hashes are likely to be rejected by many
+ * recent implementations of libcrypt.
+ */
+ if (retval_checksalt == CRYPT_SALT_INVALID) {
+ helper_log_err(LOG_ERR,
+ "pam_unix(verify_pwd_hash): The hash \"%.6s\""
+ "does not use a method known by the version "
+ "of libcrypt this system is supplied with.",
+ hash);
+ }
+#endif
#ifdef HAVE_CRYPT_R
struct crypt_data *cdata;
cdata = malloc(sizeof(*cdata));