diff options
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/patches-applied/pam_unix_avoid_checksalt | 43 | ||||
| -rw-r--r-- | debian/patches-applied/series | 1 |
3 files changed, 48 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 0447e49a..848f13c0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,8 +2,11 @@ pam (1.4.0-10) UNRELEASED; urgency=medium * Fix syntax error in libpam0g.postinst when a systemd unit fails, Closes: #992538 + * Include upstream patch not to use crypt_checksalt; without this + passwords set prior to bullseye were considered expired, Closes: + #992848 - -- Sam Hartman <hartmans@debian.org> Thu, 26 Aug 2021 13:11:23 -0600 + -- Sam Hartman <hartmans@debian.org> Thu, 26 Aug 2021 13:43:23 -0600 pam (1.4.0-9) unstable; urgency=medium diff --git a/debian/patches-applied/pam_unix_avoid_checksalt b/debian/patches-applied/pam_unix_avoid_checksalt new file mode 100644 index 00000000..5a441145 --- /dev/null +++ b/debian/patches-applied/pam_unix_avoid_checksalt @@ -0,0 +1,43 @@ +debian-bug: #992848 +upstream-bug: https://github.com/linux-pam/linux-pam/issues/367 + + +From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@altlinux.org> +Date: Thu, 10 Jun 2021 14:00:00 +0000 +Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for + password expiration + +According to Zack Weinberg, the intended meaning of +CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing +method", it is not supposed to mean "force a password change on next +login for any user with an existing stored hash using this method". + +This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5. + +* modules/pam_unix/passverify.c (check_shadow_expiry) +[CRYPT_CHECKSALT_AVAILABLE]: Remove. + +Closes: https://github.com/linux-pam/linux-pam/issues/367 +--- + modules/pam_unix/passverify.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index f6132f805..5a19ed856 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry, + D(("account expired")); + return PAM_ACCT_EXPIRED; + } +-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE +- if (spent->sp_lstchg == 0 || +- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY || +- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) { +-#else + if (spent->sp_lstchg == 0) { +-#endif + D(("need a new password")); + *daysleft = 0; + return PAM_NEW_AUTHTOK_REQD; diff --git a/debian/patches-applied/series b/debian/patches-applied/series index 6addd12c..3cc3e287 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -25,3 +25,4 @@ nullok_secure-compat.patch pam_unix_initialize_daysleft pam_faillock_create_directory pam_mkhomedir_stat_before_opendir +pam_unix_avoid_checksalt |