1 files changed, 36 insertions, 0 deletions

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index eb2444bb..2c808eb5 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok)
 			 * Ok, we don't know the crypt algorithm, but maybe
 			 * libcrypt knows about it? We should try it.
 			 */
+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+			/* Get the status of the hash from checksalt */
+			int retval_checksalt = crypt_checksalt(hash);
+
+			/*
+			 * Check for hashing methods that are disabled by
+			 * libcrypt configuration and/or system preset.
+			 */
+			if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) {
+				/*
+				 * pam_syslog() needs a pam handle,
+				 * but that's not available here.
+				 */
+				helper_log_err(LOG_ERR,
+				  "pam_unix(verify_pwd_hash): The method "
+				  "for computing the hash \"%.6s\" has been "
+				  "disabled in libcrypt by the preset from "
+				  "the system's vendor and/or administrator.",
+				  hash);
+			}
+			/*
+			 * Check for malformed hashes, like descrypt hashes
+			 * starting with "$2...", which might have been
+			 * generated by unsafe base64 encoding functions
+			 * as used in glibc <= 2.16.
+			 * Such hashes are likely to be rejected by many
+			 * recent implementations of libcrypt.
+			 */
+			if (retval_checksalt == CRYPT_SALT_INVALID) {
+				helper_log_err(LOG_ERR,
+				  "pam_unix(verify_pwd_hash): The hash \"%.6s\""
+				  "does not use a method known by the version "
+				  "of libcrypt this system is supplied with.",
+				  hash);
+			}
+#endif
 #ifdef HAVE_CRYPT_R
 			struct crypt_data *cdata;
 			cdata = malloc(sizeof(*cdata));