diff options
| author | Björn Esser <besser82@fedoraproject.org> | 2018-11-26 22:33:17 +0100 |
|---|---|---|
| committer | Tomáš Mráz <t8m@users.noreply.github.com> | 2018-11-27 13:29:53 +0100 |
| commit | 86eed7ca01864b9fd17099e57f10f2b9b6b568a1 (patch) | |
| tree | aa81e82644f48122d9e7d1ef4866c7e80dbfcf2d /modules/pam_unix/passverify.c | |
| parent | 396ef3a1c93457fe66391627eb996b920be94fb2 (diff) | |
| download | pam-86eed7ca01864b9fd17099e57f10f2b9b6b568a1.tar.gz pam-86eed7ca01864b9fd17099e57f10f2b9b6b568a1.tar.bz2 pam-86eed7ca01864b9fd17099e57f10f2b9b6b568a1.zip | |
pam_unix: Report unusable hashes found by checksalt to syslog.
libxcrypt can be build-time configured to support (or not support)
various hashing methods. Future versions will also have support for
runtime configuration by the system's vendor and/or administrator.
For that reason adminstrator should be notified by pam if users cannot
log into their account anymore because of such a change in the system's
configuration of libxcrypt.
Also check for malformed hashes, like descrypt hashes starting with
"$2...", which might have been generated by unsafe base64 encoding
functions as used in glibc <= 2.16.
Such hashes are likely to be rejected by many recent implementations
of libcrypt.
* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
hashes found by checksalt to syslog.
Diffstat (limited to 'modules/pam_unix/passverify.c')
| -rw-r--r-- | modules/pam_unix/passverify.c | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index eb2444bb..2c808eb5 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -103,6 +103,42 @@ verify_pwd_hash(const char *p, char *hash, unsigned int nullok) * Ok, we don't know the crypt algorithm, but maybe * libcrypt knows about it? We should try it. */ +#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE + /* Get the status of the hash from checksalt */ + int retval_checksalt = crypt_checksalt(hash); + + /* + * Check for hashing methods that are disabled by + * libcrypt configuration and/or system preset. + */ + if (retval_checksalt == CRYPT_SALT_METHOD_DISABLED) { + /* + * pam_syslog() needs a pam handle, + * but that's not available here. + */ + helper_log_err(LOG_ERR, + "pam_unix(verify_pwd_hash): The method " + "for computing the hash \"%.6s\" has been " + "disabled in libcrypt by the preset from " + "the system's vendor and/or administrator.", + hash); + } + /* + * Check for malformed hashes, like descrypt hashes + * starting with "$2...", which might have been + * generated by unsafe base64 encoding functions + * as used in glibc <= 2.16. + * Such hashes are likely to be rejected by many + * recent implementations of libcrypt. + */ + if (retval_checksalt == CRYPT_SALT_INVALID) { + helper_log_err(LOG_ERR, + "pam_unix(verify_pwd_hash): The hash \"%.6s\"" + "does not use a method known by the version " + "of libcrypt this system is supplied with.", + hash); + } +#endif #ifdef HAVE_CRYPT_R struct crypt_data *cdata; cdata = malloc(sizeof(*cdata)); |