| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
| |
Patch to put the PAM manpage in section 7 (general topics) instead of 8
(system administration commands)
Authors: Steve Langasek <vorlon@debian.org>
Upstream status: maybe provide a backwards-compatibility link first?
Gbp-Pq: Name PAM-manpage-section
|
| |
|
|
|
|
|
| |
* Bring in the obscure checks that used to live in shadow so we can still support them
* Set default minimum password length to 6
Gbp-Pq: Name 0003-pam_unix-obscure-checks.patch
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed files
--------------
Make.xml.rules.in:
- Using RNG file instead of DTD file for checking XML files.
- Taking the correct stylesheet for README files.
doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.
configure.ac:
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment
*.xml:
Update from DockBook 4 to DocBook 5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ci/install-dependencies.sh: Remove libcrack2-dev.
* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
--enable-cracklib=check.
* conf/pam.conf: Remove references to pam_cracklib.so.
* configure.ac: Remove --enable-cracklib option.
(AC_SUBST): Remove LIBCRACK.
(AM_CONDITIONAL): Remove COND_BUILD_PAM_CRACKLIB.
(AC_CONFIG_FILES): Remove modules/pam_cracklib/Makefile.
* doc/sag/pam_cracklib.xml: Remove.
* doc/sag/Linux-PAM_SAG.xml: Do not include pam_cracklib.xml.
* modules/Makefile.am (MAYBE_PAM_CRACKLIB): Remove.
(SUBDIRS): Remove MAYBE_PAM_CRACKLIB.
* modules/pam_cracklib/Makefile.am: Remove.
* modules/pam_cracklib/README.xml: Likewise.
* modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_cracklib/tst-pam_cracklib: Likewise.
* xtests/tst-pam_cracklib1.c: Likewise.
* xtests/tst-pam_cracklib1.pamd: Likewise.
* xtests/tst-pam_cracklib2.c: Likewise.
* xtests/tst-pam_cracklib2.pamd: Likewise.
* modules/pam_pwhistory/pam_pwhistory.8.xml: Replace pam_cracklib
in examples with pam_passwdqc.
* modules/pam_unix/pam_unix.8.xml: Likewise.
* po/POTFILES.in: Remove ./modules/pam_cracklib/pam_cracklib.c.
* xtests/.gitignore: Remove tst-pam_cracklib1 and tst-pam_cracklib2.
* xtests/Makefile.am (EXTRA_DIST): Remove tst-pam_cracklib1.pamd
and tst-pam_cracklib2.pamd.
(XTESTS): Remove tst-pam_cracklib1 and tst-pam_cracklib2.
* NEWS: Document this change.
|
| |
|
|
|
|
|
| |
According to crypt(5), md5 should not be used for new hashes. Let's
give a modern example with yescrypt.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adding nullresetok to auth phase of pam_unix module will allow users
with blank password to authenticate in order to immediatelly change
their password even if nullok is not set.
This allows to have blank password authentication disabled but still
allows administrator to create new user accounts with expired blank
password that must be change on the first login.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the call to the crypt(3) function failed for some reason during
hashing a new login passphrase, the wrapper function for computing
a hash with the md5crypt method was called internally by the pam_unix
module in previous versions of linux-pam.
With CVE-2012-3287 in mind, the md5crypt method is not considered to
be a safe nor recommended hashing method for a new login passphrase
since at least 2012. Thus pam_unix should error out in case of a
failure in crypt(3) instead of silently computing a hashed passphrase
using a potentially unsafe method.
* modules/pam_unix/pam_unix.8.xml: Update documentation.
* modules/pam_unix/passverify.c (create_password_hash): Return NULL
on error instead of silently invoke crypt_md5_wrapper().
|
| |
|
|
| |
This reverts commit ad435b386b22b456724dc5c5b8d9f2d1beffc558.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt since v4.4.0 supports a default method for its
gensalt function on most system configurations. As the
default method is to be considered the strongest available
hash method, it should be preferred over all other hash
methods supported by pam.
* modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default.
* modules/pam_unix/passverify.c: Add crypt_default method.
* modules/pam_unix/support.h: Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxcrypt (v4.2 and later) has added support for the yescrypt
hashing method; gost-yescrypt has been added in v4.3.
* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
* modules/pam_unix/support.h: Add support for (gost-)yescrypt.
|
| |
|
|
|
| |
modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used
to store the old passwords when remember option is set.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have to drop support for not_set_pass option which is not much useful
anyway. Instead we get proper support for authtok_type option.
* modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty
pe
option.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas
sword()
call with equivalent pam_get_authtok() call.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop
support for not_set_pass.
* modules/pam_unix/support.c (_unix_read_password): Remove.
* modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry
is on and return value data is not set to PAM_SUCCESS then ignore
PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the
return value data.
(pam_sm_setcred): Test for likeauth option and use the return value data
only if set.
* modules/pam_unix/support.h: Add the no_pass_expiry option.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security fix: CVE-2015-3238
If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.
With this fix, the verifiable password length will be limited to
PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix.
* NEWS: Update
* configure.ac: Bump version
* modules/pam_exec/pam_exec.8.xml: document limitation of password length
* modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE
* modules/pam_unix/pam_unix.8.xml: document limitation of password length
* modules/pam_unix/pam_unix_passwd.c: limit password length
* modules/pam_unix/passverify.c: Likewise
* modules/pam_unix/passverify.h: Likewise
* modules/pam_unix/support.c: Likewise
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch by Louis Sautier
* doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors.
* doc/man/pam.3.xml: Likewise.
* doc/man/pam_acct_mgmt.3.xml: Likewise.
* doc/man/pam_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* modules/pam_limits/limits.conf.5.xml: Likewise.
* modules/pam_mail/pam_mail.8.xml: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_shells/pam_shells.8.xml: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_tally2/pam_tally2.8.xml: Likewise.
* modules/pam_unix/pam_unix.8.xml: Likewise.
|
| |
|
|
|
|
|
|
|
| |
messages from session.
* modules/pam_unix/pam_unix.8.xml: Document new option.
* modules/pam_unix/support.h: Add quiet option.
* modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if
'quiet' option is set.
|
| |
|
|
|
|
|
|
|
| |
other one is specified as argument.
* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
* modules/pam_unix/support.h: Add define for /etc/login.defs
* modules/pam_unix/pam_unix.8.xml: Document new behavior.
* modules/pam_umask/pam_umask.c: Add missing NULL pointer check
|
| |
|
|
|
|
|
| |
modules/pam_limits/limits.conf.5.xml: Document race of maxlogins [#10]
modules/pam_namespace/pam_namespace.h: Define MS_SLAVE if necessary
modules/pam_pwhistory/pam_pwhistory.c: Document how the module works
modules/pam_unix/pam_unix.8.xml: Document remember option obsoleted by pam_pwhistory [#6]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: new feature
Commit summary:
---------------
2010-08-17 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_unix/pam_unix_passwd.c: Implement minlen option.
* modules/pam_unix/support.c: Likewise.
* modules/pam_unix/support.h: Likewise.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Adjust
arguments for _set_ctrl call.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
* modules/pam_unix/pam_unix_session.c: Likewise.
* modules/pam_unix/pam_unix.8.xml: Document minlen option.
Based on patch by Steve Langasek.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: docu fix
Commit summary:
---------------
2009-06-29 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_unix/pam_unix.8.xml: Fix blowfish description.
Reported by Diego E. “Flameeyes” Pettenò.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: cleanup
Commit summary:
---------------
2009-06-01 Ville Skyttä <ville.skytta@iki.fi>
* modules/pam_limits/pam_limits.8.xml: Only *.conf
files are parsed. Spelling fixes.
* modules/pam_access/pam_access.8.xml: Spelling fixes.
* modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
* modules/pam_echo/pam_echo.8.xml: Likewise.
* modules/pam_env/pam_env.8.xml: Likewise.
* modules/pam_exec/pam_exec.8.xml: Likewise.
* modules/pam_filter/pam_filter.8.xml: Likewise.
* modules/pam_ftp/pam_ftp.8.xml: Likewise.
* modules/pam_group/pam_group.8.xml: Likewise.
* modules/pam_issue/pam_issue.8.xml: Likewise.
* modules/pam_lastlog/pam_lastlog.8.xml: Likewise.
* modules/pam_listfile/pam_listfile.8.xml: Likewise.
* modules/pam_localuser/pam_localuser.8.xml: Likewise.
* modules/pam_loginuid/pam_loginuid.8.xml: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.8.xml: Likewise.
* modules/pam_motd/pam_motd.8.xml: Likewise.
* modules/pam_namespace/pam_namespace.8.xml: Likewise.
* modules/pam_pwhistory/pam_pwhistory.8.xml: Likewise.
* modules/pam_selinux/pam_selinux.8.xml: Likewise.
* modules/pam_succeed_if/pam_succeed_if.8.xml: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_tally2/pam_tally2.8.xml: Likewise.
* modules/pam_time/pam_time.8.xml: Likewise.
* modules/pam_timestamp/pam_timestamp.8.xml: Likewise.
* modules/pam_timestamp/pam_timestamp_check.8.xml: Likewise.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
* modules/pam_umask/pam_umask.8.xml: Likewise.
* modules/pam_unix/pam_unix.8.xml: Likewise.
* modules/pam_xauth/pam_xauth.8.xml: Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: new feature
Commit summary:
---------------
2008-12-01 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_unix/pam_unix.8.xml: Document blowfish option.
* configure.in: Check for crypt_gensalt_rn.
* modules/pam_unix/pam_unix_passwd.c: Pass pamh to
create_password_hash function.
* modules/pam_unix/passverify.c (create_password_hash): Add
blowfish support.
* modules/pam_unix/passverify.h: Adjust create_password_hash
prototype.
* modules/pam_unix/support.c: Add support for blowfish option.
* modules/pam_unix/support.h: Add defines for blowfish option.
Patch from Diego Flameeyes Pettenò <flameeyes@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: bugfix
Commit summary:
---------------
2008-09-16 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_unix/pam_unix.8.xml: Fix typo.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: bugfix
Commit summary:
---------------
2008-08-18 Thorsten Kukuk <kukuk@thkukuk.de>
* Makefile.am (M4_FILES): Adjust list.
* modules/pam_access/pam_access.8.xml: Fix module service
vs. module type.
* modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
* modules/pam_debug/pam_debug.8.xml: Likewise.
* modules/pam_deny/pam_deny.8.xml: Likewise.
* modules/pam_echo/pam_echo.8.xml: Likewise.
* modules/pam_env/pam_env.8.xml: Likewise.
* modules/pam_exec/pam_exec.8.xml: Likewise.
* modules/pam_faildelay/pam_faildelay.8.xml: Likewise.
* modules/pam_filter/pam_filter.8.xml: Likewise.
* modules/pam_ftp/pam_ftp.8.xml: Likewise.
* modules/pam_group/pam_group.8.xml: Likewise.
* modules/pam_issue/pam_issue.8.xml: Likewise.
* modules/pam_keyinit/pam_keyinit.8.xml: Likewise.
* modules/pam_lastlog/pam_lastlog.8.xml: Likewise.
* modules/pam_limits/pam_limits.8.xml: Likewise.
* modules/pam_listfile/pam_listfile.8.xml: Likewise.
* modules/pam_localuser/pam_localuser.8.xml: Likewise.
* modules/pam_loginuid/pam_loginuid.8.xml: Likewise.
* modules/pam_mail/pam_mail.8.xml: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.8.xml: Likewise.
* modules/pam_motd/pam_motd.8.xml: Likewise.
* modules/pam_namespace/pam_namespace.8.xml: Likewise.
* modules/pam_nologin/pam_nologin.8.xml: Likewise.
* modules/pam_permit/pam_permit.8.xml: Likewise.
* modules/pam_rhosts/pam_rhosts.8.xml: Likewise.
* modules/pam_rootok/pam_rootok.8.xml: Likewise.
* modules/pam_securetty/pam_securetty.8.xml: Likewise.
* modules/pam_selinux/pam_selinux.8.xml: Likewise.
* modules/pam_sepermit/pam_sepermit.8.xml: Likewise.
* modules/pam_shells/pam_shells.8.xml: Likewise.
* modules/pam_succeed_if/pam_succeed_if.8.xml: Likewise.
* modules/pam_tally/pam_tally.8.xml: Likewise.
* modules/pam_time/pam_time.8.xml: Likewise.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Likewise.
* modules/pam_umask/pam_umask.8.xml: Likewise.
* modules/pam_unix/pam_unix.8.xml: Likewise.
* modules/pam_userdb/pam_userdb.8.xml: Likewise.
* modules/pam_warn/pam_warn.8.xml: Likewise.
* modules/pam_wheel/pam_wheel.8.xml: Likewise.
* modules/pam_xauth/pam_xauth.8.xml: Likewise.
|
| |
|
|
|
|
|
|
|
|
|
| |
Purpose of commit: bugfix
Commit summary:
---------------
2008-07-27 Steve Langasek <vorlon@debian.org>
* modules/pam_*/pam_*.8.xml: fix up the references to pam.d,
which is in manpage section 5, not 8.
|
| |
|
|
|
|
|
|
|
|
| |
Purpose of commit: cleanup, new feature
Commit summary:
---------------
Merging the the refactorization pam_unix_ref branch into the trunk.
Added support for sha256 and sha512 password hashes to pam_unix
when the libcrypt supports them.
|
| |
|
|
|
|
|
|
|
| |
Purpose of commit: bugfix
Commit summary:
---------------
Fix typo.
|
|
|
Purpose of commit: new feature/bugfix
Commit summary:
---------------
2006-09-20 Thorsten Kukuk <kukuk@thkukuk.de>
* doc/adg/Makefile.am: Add manual pages as dependency.
* doc/mwg/Makefile.am: Likewise.
* doc/sag/Makefile.am: Likewise.
* doc/sag/Linux-PAM_SAG.xml: Include pam_unix.xml.
* doc/sag/pam_unix.xml: New.
* modules/pam_unix/Makefile.am: Generate pam_unix.8 manual page.
* modules/pam_unix/README.xml: New.
* modules/pam_unix/pam_unix.8.xml: New.
* modules/pam_unix/README: Regenerate from XML.
* modules/pam_unix/pam_unix.8: Generated from XML.
|
