diff options
| author | Sergei Trofimovich <slyich@gmail.com> | 2024-03-28 21:58:35 +0000 |
|---|---|---|
| committer | Sergei Trofimovich <slyich@gmail.com> | 2024-03-29 07:09:08 +0000 |
| commit | 8d0c575336ad301cd14e16ad2fdec6fe621764b8 (patch) | |
| tree | 264fd15c05f28aebe5e845241fcdefc310da7c1f /po | |
| parent | db25d975c804bbe5b86cb61b77723e040331bd16 (diff) | |
| download | pam-8d0c575336ad301cd14e16ad2fdec6fe621764b8.tar.gz pam-8d0c575336ad301cd14e16ad2fdec6fe621764b8.tar.bz2 pam-8d0c575336ad301cd14e16ad2fdec6fe621764b8.zip | |
pam_unix: allow empty passwords with non-empty hashes
Before the change pam_unix has different behaviours for a user with
empty password for these two `/etc/shadow` entries:
nulloktest:$6$Yy4ty2jJ$bsVQWo8qlXC6UHq1/qTC3UR60ZJKmKApJ3Wj7DreAy8FxlVKtlDnplFQ7jMLVlDqordE7e4t49GvTb.aI59TP0:1::::::
nulloktest::1::::::
The entry with a hash was rejected and the entry without was accepted.
The rejection happened because 9e74e90147c "pam_unix: avoid determining
if user exists" introduced the following rejection check (slightly
simplified):
...
} else if (p[0] == '\0' && nullok) {
if (hash[0] != '\0') {
retval = PAM_AUTH_ERR;
}
We should not reject the user with a hash assuming it's non-empty.
The change does that by pushing empty password check into
`verify_pwd_hash()`.
`NixOS` generates such hashed entries for empty passwords as if they
were non-empty using the following perl code:
sub hashPassword {
my ($password) = @_;
my $salt = "";
my @chars = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
$salt .= $chars[rand 64] for (1..8);
return crypt($password, '$6$' . $salt . '$');
}
Resolves: https://github.com/linux-pam/linux-pam/issues/758
Fixes: 9e74e90147c "pam_unix: avoid determining if user exists"
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
Diffstat (limited to 'po')
0 files changed, 0 insertions, 0 deletions