From ad435b386b22b456724dc5c5b8d9f2d1beffc558 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Thu, 15 Nov 2018 16:57:35 +0100 Subject: pam_unix: Add crypt_default method, if supported. libxcrypt since v4.4.0 supports a default method for its gensalt function on most system configurations. As the default method is to be considered the strongest available hash method, it should be preferred over all other hash methods supported by pam. * modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default. * modules/pam_unix/passverify.c: Add crypt_default method. * modules/pam_unix/support.h: Likewise. --- modules/pam_unix/passverify.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'modules/pam_unix/passverify.c') diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index eb2444bb..0a4c67b4 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -395,6 +395,14 @@ PAMH_ARG_DECL(char * create_password_hash, if (on(UNIX_MD5_PASS, ctrl)) { /* algoid = "$1" */ return crypt_md5_wrapper(password); +#if (defined(CRYPT_PREFERRED_METHOD_AVAILABLE) && CRYPT_PREFERRED_METHOD_AVAILABLE) + } else if (on(UNIX_CRYPT_DEFAULT_PASS, ctrl) + && crypt_preferred_method() != NULL) { + algoid = crypt_preferred_method(); + rounds = 0; /* always use the system preset */ +#endif + } else if (on(UNIX_CRYPT_DEFAULT_PASS, ctrl)) { + algoid = "*0"; /* never ever a valid method */ } else if (on(UNIX_YESCRYPT_PASS, ctrl)) { algoid = "$y$"; } else if (on(UNIX_GOST_YESCRYPT_PASS, ctrl)) { @@ -461,6 +469,7 @@ PAMH_ARG_DECL(char * create_password_hash, pam_syslog(pamh, LOG_ERR, "Algo %s not supported by the crypto backend, " "falling back to MD5\n", + on(UNIX_CRYPT_DEFAULT_PASS, ctrl) ? "crypt_default \"" algoid "\"" : on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" : on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" : on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : -- cgit v1.2.3