diff options
Diffstat (limited to 'modules/pam_unix')
| -rw-r--r-- | modules/pam_unix/pam_unix.8.xml | 35 | ||||
| -rw-r--r-- | modules/pam_unix/passverify.c | 7 |
2 files changed, 18 insertions, 24 deletions
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml index cae2aeaa..93a01c89 100644 --- a/modules/pam_unix/pam_unix.8.xml +++ b/modules/pam_unix/pam_unix.8.xml @@ -293,11 +293,10 @@ <listitem> <para> When a user changes their password next, - encrypt it with the SHA256 algorithm. If the - SHA256 algorithm is not known to the <citerefentry> + encrypt it with the SHA256 algorithm. The + SHA256 algorithm must be supported by the <citerefentry> <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function, - fall back to MD5. + </citerefentry> function. </para> </listitem> </varlistentry> @@ -308,11 +307,10 @@ <listitem> <para> When a user changes their password next, - encrypt it with the SHA512 algorithm. If the - SHA512 algorithm is not known to the <citerefentry> + encrypt it with the SHA512 algorithm. The + SHA512 algorithm must be supported by the <citerefentry> <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function, - fall back to MD5. + </citerefentry> function. </para> </listitem> </varlistentry> @@ -323,11 +321,10 @@ <listitem> <para> When a user changes their password next, - encrypt it with the blowfish algorithm. If the - blowfish algorithm is not known to the <citerefentry> + encrypt it with the blowfish algorithm. The + blowfish algorithm must be supported by the <citerefentry> <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function, - fall back to MD5. + </citerefentry> function. </para> </listitem> </varlistentry> @@ -338,11 +335,10 @@ <listitem> <para> When a user changes their password next, - encrypt it with the gost-yescrypt algorithm. If the - gost-yescrypt algorithm is not known to the <citerefentry> + encrypt it with the gost-yescrypt algorithm. The + gost-yescrypt algorithm must be supported by the <citerefentry> <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function, - fall back to MD5. + </citerefentry> function. </para> </listitem> </varlistentry> @@ -353,11 +349,10 @@ <listitem> <para> When a user changes their password next, - encrypt it with the yescrypt algorithm. If the - yescrypt algorithm is not known to the <citerefentry> + encrypt it with the yescrypt algorithm. The + yescrypt algorithm must be supported by the <citerefentry> <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function, - fall back to MD5. + </citerefentry> function. </para> </listitem> </varlistentry> diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index e03e75b2..67f9e6f7 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -495,10 +495,9 @@ PAMH_ARG_DECL(char * create_password_hash, sp = crypt(password, salt); #endif if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { - /* libxcrypt/libc doesn't know the algorithm, use MD5 */ + /* libxcrypt/libc doesn't know the algorithm, error out */ pam_syslog(pamh, LOG_ERR, - "Algo %s not supported by the crypto backend, " - "falling back to MD5\n", + "Algo %s not supported by the crypto backend.\n", on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" : on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" : on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : @@ -510,7 +509,7 @@ PAMH_ARG_DECL(char * create_password_hash, #ifdef HAVE_CRYPT_R free(cdata); #endif - return crypt_md5_wrapper(password); + return NULL; } sp = x_strdup(sp); #ifdef HAVE_CRYPT_R |