pam_unix: Change the salt length for new hashes to 16 characters

* modules/pam_unix/passverify.c (create_password_hash): Change the salt length for new hashes to 16 characters.
author: Tomas Mraz <tmraz@fedoraproject.org> 2016-01-25 16:50:00 +0100
committer: Tomas Mraz <tmraz@fedoraproject.org> 2016-01-25 16:50:00 +0100
commit: 698edffcffd54e7d81bad0829cee9dd2f0a3a6d7 (patch)
tree: cd0eacdde6c47a6bc5fc255ab0bf503e403dfed5 /modules/pam_unix/passverify.c
parent: 20047e7fdcfff6633d8201f0954be51f6378f1ae (diff)
download: pam-698edffcffd54e7d81bad0829cee9dd2f0a3a6d7.tar.gz
pam-698edffcffd54e7d81bad0829cee9dd2f0a3a6d7.tar.bz2
pam-698edffcffd54e7d81bad0829cee9dd2f0a3a6d7.zip
1 files changed, 2 insertions, 5 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index e79b55e6..078adc62 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -417,12 +417,9 @@ PAMH_ARG_DECL(char * create_password_hash,
 #endif
 		sp = stpcpy(salt, algoid);
 		if (on(UNIX_ALGO_ROUNDS, ctrl)) {
-			sp += snprintf(sp, sizeof(salt) - 3, "rounds=%u$", rounds);
+			sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$", rounds);
 		}
-		crypt_make_salt(sp, 8);
-		/* For now be conservative so the resulting hashes
-		 * are not too long. 8 bytes of salt prevents dictionary
-		 * attacks well enough. */
+		crypt_make_salt(sp, 16);
 #ifdef HAVE_CRYPT_GENSALT_R
 	}
 #endif
author	Tomas Mraz <tmraz@fedoraproject.org>	2016-01-25 16:50:00 +0100
committer	Tomas Mraz <tmraz@fedoraproject.org>	2016-01-25 16:50:00 +0100
commit	698edffcffd54e7d81bad0829cee9dd2f0a3a6d7 (patch)
tree	cd0eacdde6c47a6bc5fc255ab0bf503e403dfed5 /modules/pam_unix/passverify.c
parent	20047e7fdcfff6633d8201f0954be51f6378f1ae (diff)
download	pam-698edffcffd54e7d81bad0829cee9dd2f0a3a6d7.tar.gz pam-698edffcffd54e7d81bad0829cee9dd2f0a3a6d7.tar.bz2 pam-698edffcffd54e7d81bad0829cee9dd2f0a3a6d7.zip