summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorBjörn Esser <besser82@fedoraproject.org>2018-11-15 19:49:44 +0100
committerTomáš Mráz <t8m@users.noreply.github.com>2018-11-22 15:43:38 +0100
commit4da9febc39b955892a30686e8396785b96bb8ba5 (patch)
tree9805a4c4573ca20a6568ca358e574d4cdbfd289c /modules
parentdce80b3f11b3c3aa137d18f22699809094dd64b6 (diff)
pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
libxcrypt v4.3 has added the crypt_checksalt function to whether the prefix at the begining of a given hash string refers to a supported hashing method. Future revisions of this function will add support to check whether the hashing method, the prefix refers to, was disabled or considered deprecated by the system's factory presets or system administrator. Furthermore it will be able to detect whether the parameters, which are used by the corresponding hashing method, being encoded in the hash string are not considered to be strong enough anymore. *modules/pam_unix/passverify.c: Add support for crypt_checksalt.
Diffstat (limited to 'modules')
-rw-r--r--modules/pam_unix/passverify.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 0d2c8029..95dfe528 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -244,7 +244,13 @@ PAMH_ARG_DECL(int check_shadow_expiry,
D(("account expired"));
return PAM_ACCT_EXPIRED;
}
+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+ if (spent->sp_lstchg == 0 ||
+ crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
+ crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
+#else
if (spent->sp_lstchg == 0) {
+#endif
D(("need a new password"));
*daysleft = 0;
return PAM_NEW_AUTHTOK_REQD;
@@ -255,10 +261,19 @@ PAMH_ARG_DECL(int check_shadow_expiry,
spent->sp_namp);
return PAM_SUCCESS;
}
+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+ if (((curdays - spent->sp_lstchg > spent->sp_max)
+ && (curdays - spent->sp_lstchg > spent->sp_inact)
+ && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
+ && (spent->sp_max != -1) && (spent->sp_inact != -1))
+ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
+ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
+#else
if ((curdays - spent->sp_lstchg > spent->sp_max)
&& (curdays - spent->sp_lstchg > spent->sp_inact)
&& (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
&& (spent->sp_max != -1) && (spent->sp_inact != -1)) {
+#endif
*daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays);
D(("authtok expired"));
return PAM_AUTHTOK_EXPIRED;