summaryrefslogtreecommitdiff
path: root/modules/pam_unix
diff options
context:
space:
mode:
authorBjörn Esser <besser82@fedoraproject.org>2018-11-15 15:01:57 +0100
committerTomáš Mráz <t8m@users.noreply.github.com>2018-11-16 10:03:27 +0100
commitf7abb8c1ef3aa31e6c2564a8aaf69683a77c2016 (patch)
tree39b967a2a7a25188b651340a43dacd114f15a20f /modules/pam_unix
parent955b3e2f100205be2db4358e9c812de2ae453b8e (diff)
pam_unix: Use bcrypt b-variant for computing new hashes.
Bcrypt hashes used the "$2a$" prefix since 1997. However, in 2011 an implementation bug was discovered in bcrypt affecting the handling of characters in passphrases with the 8th bit set. Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix for a behavior that exactly matches crypt_blowfish's "$2y$", and the crypt_blowfish implementation supports it as well since v1.1. That said new computed bcrypt hashes should use the "$2b$" prefix. * modules/pam_unix/passverify.c: Use bcrypt b-variant.
Diffstat (limited to 'modules/pam_unix')
-rw-r--r--modules/pam_unix/passverify.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 9c1771e2..1f433b3a 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -385,7 +385,7 @@ PAMH_ARG_DECL(char * create_password_hash,
/* algoid = "$1" */
return crypt_md5_wrapper(password);
} else if (on(UNIX_BLOWFISH_PASS, ctrl)) {
- algoid = "$2a$";
+ algoid = "$2b$";
} else if (on(UNIX_SHA256_PASS, ctrl)) {
algoid = "$5$";
} else if (on(UNIX_SHA512_PASS, ctrl)) {