diff options
| author | Sam Hartman <hartmans@debian.org> | 2021-08-26 12:43:23 -0700 |
|---|---|---|
| committer | Sam Hartman <hartmans@debian.org> | 2021-08-26 12:43:23 -0700 |
| commit | 1d37a5c06c9b6f4eb60c99daccfaebe3b2bf77aa (patch) | |
| tree | 1be72cc3e88b08cb714b9cd4a2dc4ec210f62c96 /debian/patches-applied/pam_unix_avoid_checksalt | |
| parent | ea04efa24985743014da9dd22c0581cbaef82ede (diff) | |
| parent | 58476aa622ff2f622719b2cb1c586e4a93b5a801 (diff) | |
| download | pam-1d37a5c06c9b6f4eb60c99daccfaebe3b2bf77aa.tar.gz pam-1d37a5c06c9b6f4eb60c99daccfaebe3b2bf77aa.tar.bz2 pam-1d37a5c06c9b6f4eb60c99daccfaebe3b2bf77aa.zip | |
pam (1.4.0-10) unstable; urgency=medium
* Fix syntax error in libpam0g.postinst when a systemd unit fails,
Closes: #992538
* Include upstream patch not to use crypt_checksalt; without this
passwords set prior to bullseye were considered expired, Closes:
#992848
* Support DPKG_ROOT for pam-auth-update, thanks Johannes 'josch' Schauer
Closes: #983427
[dgit import unpatched pam 1.4.0-10]
Diffstat (limited to 'debian/patches-applied/pam_unix_avoid_checksalt')
| -rw-r--r-- | debian/patches-applied/pam_unix_avoid_checksalt | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/debian/patches-applied/pam_unix_avoid_checksalt b/debian/patches-applied/pam_unix_avoid_checksalt new file mode 100644 index 00000000..5a441145 --- /dev/null +++ b/debian/patches-applied/pam_unix_avoid_checksalt @@ -0,0 +1,43 @@ +debian-bug: #992848 +upstream-bug: https://github.com/linux-pam/linux-pam/issues/367 + + +From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@altlinux.org> +Date: Thu, 10 Jun 2021 14:00:00 +0000 +Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for + password expiration + +According to Zack Weinberg, the intended meaning of +CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing +method", it is not supposed to mean "force a password change on next +login for any user with an existing stored hash using this method". + +This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5. + +* modules/pam_unix/passverify.c (check_shadow_expiry) +[CRYPT_CHECKSALT_AVAILABLE]: Remove. + +Closes: https://github.com/linux-pam/linux-pam/issues/367 +--- + modules/pam_unix/passverify.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index f6132f805..5a19ed856 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry, + D(("account expired")); + return PAM_ACCT_EXPIRED; + } +-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE +- if (spent->sp_lstchg == 0 || +- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY || +- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) { +-#else + if (spent->sp_lstchg == 0) { +-#endif + D(("need a new password")); + *daysleft = 0; + return PAM_NEW_AUTHTOK_REQD; |