From 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Mon, 26 Nov 2018 22:33:17 +0100 Subject: pam_unix: Report unusable hashes found by checksalt to syslog. libxcrypt can be build-time configured to support (or not support) various hashing methods. Future versions will also have support for runtime configuration by the system's vendor and/or administrator. For that reason adminstrator should be notified by pam if users cannot log into their account anymore because of such a change in the system's configuration of libxcrypt. Also check for malformed hashes, like descrypt hashes starting with "$2...", which might have been generated by unsafe base64 encoding functions as used in glibc <= 2.16. Such hashes are likely to be rejected by many recent implementations of libcrypt. * modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable hashes found by checksalt to syslog. --- modules/pam_unix/passverify.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'modules/pam_unix') diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index eb2444bb..2c808eb5 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) * Ok, we don't know the crypt algorithm, but maybe * libcrypt knows about it? We should try it. */ +#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE + /* Get the status of the hash from checksalt */ + int retval_checksalt = crypt_checksalt(hash); + + /* + * Check for hashing methods that are disabled by + * libcrypt configuration and/or system preset. + */ + if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) { + /* + * pam_syslog() needs a pam handle, + * but that's not available here. + */ + helper_log_err(LOG_ERR, + "pam_unix(verify_pwd_hash): The method " + "for computing the hash \"%.6s\" has been " + "disabled in libcrypt by the preset from " + "the system's vendor and/or administrator.", + hash); + } + /* + * Check for malformed hashes, like descrypt hashes + * starting with "$2...", which might have been + * generated by unsafe base64 encoding functions + * as used in glibc <= 2.16. + * Such hashes are likely to be rejected by many + * recent implementations of libcrypt. + */ + if (retval_checksalt == CRYPT_SALT_INVALID) { + helper_log_err(LOG_ERR, + "pam_unix(verify_pwd_hash): The hash \"%.6s\"" + "does not use a method known by the version " + "of libcrypt this system is supplied with.", + hash); + } +#endif #ifdef HAVE_CRYPT_R struct crypt_data *cdata; cdata = malloc(sizeof(*cdata)); -- cgit v1.2.3