aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_unix/passverify.h
Commit message (Collapse)AuthorAgeFilesLines
* build: rename SCONFIGDIR config.h macro to SCONFIG_DIRDmitry V. Levin2024-08-251-1/+1
| | | | | | | This way it is visibly different from the configure variable SCONFIGDIR, which is helpful, because their values are slightly different: the macro is quoted while the configure variable is not quoted, and this difference may cause problems with other build systems.
* pam_unix: refactor audit loggingChristian Göttsche2024-01-151-0/+1
| | | | | Split the audit logging code into a separate file, to be reused by unix_update(8).
* pam_unix: annotate declaration with format attributeChristian Göttsche2024-01-151-0/+1
| | | | | Instead of annotating the function definition with the format attribute annotate the declaration, so the annotation is visible at call sites.
* modules: use SCONFIGDIR macroDmitry V. Levin2022-01-231-1/+1
| | | | | | | | | | | | | | | | | Use SCONFIGDIR macro instead of open-coding "/etc/security", the latter is not correct when configured using --enable-sconfigdir with an argument different from /etc/security. * modules/pam_faillock/faillock.h (FAILLOCK_DEFAULT_CONF): Use SCONFIGDIR. * modules/pam_namespace/pam_namespace.h (SECURECONF_DIR): Remove. (PAM_NAMESPACE_CONFIG, NAMESPACE_INIT_SCRIPT, NAMESPACE_D_DIR, NAMESPACE_D_GLOB): Use SCONFIGDIR. * modules/pam_namespace/Makefile.am (AM_CFLAGS): Remove -DSECURECONF_DIR. * modules/pam_pwhistory/opasswd.c (OLD_PASSWORDS_FILE): Use SCONFIGDIR. * modules/pam_unix/passverify.h: Likewise. * modules/pam_unix/passverify.c (OPW_TMPFILE): Use SCONFIGDIR.
* Move read_passwords function from pam_unix to pam_inline.hikerexxe2020-07-151-2/+0
| | | | | | | | | | | | | | [ldv: rewrote commit message] * modules/pam_unix/passverify.h (read_passwords): Remove prototype. * modules/pam_unix/passverify.c (read_passwords): Move ... * libpam/include/pam_inline.h: ... here, rename to pam_read_passwords, add static inline qualifiers. Include <unistd.h> and <errno.h>. * modules/pam_unix/unix_chkpwd.c: Include "pam_inline.h". (main): Replace read_passwords with pam_read_passwords. * modules/pam_unix/unix_update.c: Include "pam_inline.h". (set_password): Replace read_passwords with pam_read_passwords.
* pam_unix: use PAM_MAX_RESP_SIZE instead of its alias MAXPASSDmitry V. Levin2020-07-151-2/+0
| | | | | | | | | | * modules/pam_unix/passverify.h (MAXPASS): Remove. * modules/pam_unix/passverify.c (read_passwords): Replace MAXPASS with PAM_MAX_RESP_SIZE. * modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass): Likewise. * modules/pam_unix/support.c (_unix_verify_password): Likewise. * modules/pam_unix/unix_chkpwd.c (main): Likewise. * modules/pam_unix/unix_update.c (set_password): Likewise.
* pam_unix: Use pam_syslog instead of helper_log_err.Tomas Mraz2018-11-271-3/+3
| | | | | | | | * modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err(). * modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash(). * modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument to verify_pwd_hash() call.
* pam_unix: Add support for (gost-)yescrypt hashing methods.Björn Esser2018-11-231-1/+1
| | | | | | | | | | | | | | | libxcrypt (v4.2 and later) has added support for the yescrypt hashing method; gost-yescrypt has been added in v4.3. * modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt. * modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/passverify.c: Add support for (gost-)yescrypt. * modules/pam_unix/passverify.h: Use 64 bit type for control flags. * modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt. * modules/pam_unix/support.h: Add support for (gost-)yescrypt.
* Release version 1.2.1Thorsten Kukuk2015-06-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise
* Relevant BUGIDs:Thorsten Kukuk2008-12-011-31/+20
| | | | | | | | | | | | | | | | | | | | | | Purpose of commit: new feature Commit summary: --------------- 2008-12-01 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_unix/pam_unix.8.xml: Document blowfish option. * configure.in: Check for crypt_gensalt_rn. * modules/pam_unix/pam_unix_passwd.c: Pass pamh to create_password_hash function. * modules/pam_unix/passverify.c (create_password_hash): Add blowfish support. * modules/pam_unix/passverify.h: Adjust create_password_hash prototype. * modules/pam_unix/support.c: Add support for blowfish option. * modules/pam_unix/support.h: Add defines for blowfish option. Patch from Diego Flameeyes Pettenò <flameeyes@gmail.com>
* Relevant BUGIDs:Steve Langasek2008-07-281-0/+6
| | | | | | | | | | | | | | Purpose of commit: bugfix (thread safety) Commit summary: --------------- 2008-07-28 Steve Langasek <vorlon@debian.org> * modules/pam_unix/passverify.c: make save_old_password() thread-safe by using pam_modutil_getpwnam() instead of getpwnam() * modules/pam_unix/passverify.c, modules/pam_unix/passverify.h, modules/pam_unix/pam_unix_passwd.c: add pamh argument to save_old_password()
* Relevant BUGIDs: 1836981Tomas Mraz2008-01-241-1/+1
| | | | | | | | | | | | | | | Purpose of commit: bugfix Commit summary: --------------- 2008-01-24 Tomas Mraz <t8m@centrum.cz> * modules/pam_unix/bigcrypt.c (bigcrypt): Use crypt_r() when available. * modules/pam_unix/passverify.c (strip_hpux_aging): New function to strip HP/UX aging info from password hash. (verify_pwd_hash): Call strip_hpux_aging(), use crypt_r() when available.
* Relevant BUGIDs:Tomas Mraz2008-01-231-1/+82
| | | | | | | | | | Purpose of commit: cleanup, new feature Commit summary: --------------- Merging the the refactorization pam_unix_ref branch into the trunk. Added support for sha256 and sha512 password hashes to pam_unix when the libcrypt supports them.
* Relevant BUGIDs:Tomas Mraz2007-12-051-0/+43
Purpose of commit: cleanup Commit summary: --------------- 2007-12-05 Tomas Mraz <t8m@centrum.cz> * modules/pam_unix/Makefile.am: Add passverify.h and passverify.c as first part of pam_unix refactorization. * modules/pam_unix/pam_unix/pam_unix_acct.c: Include passverify.h. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/passverify.c: New file with common functions. * modules/pam_unix/passverify.h: Prototypes for the common functions. * modules/pam_unix/support.c: Include passverify.h, move _unix_shadowed() to passverify.c. (_unix_verify_password): Refactor out verify_pwd_hash() function. * modules/pam_unix/support.h: Move _unix_shadowed() prototype to passverify.h * modules/pam_unix/unix_chkpwd.c: Use _unix_shadowed() and verify_pwd_hash() from passverify.c.
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-08 07:34:32 +0000