Add a patch to not use crypt_checksalt for password expiration

Resolves: #1965345, #1967150
2021-06-10 21:20:33 +02:00 · 2021-06-10 21:20:33 +02:00 · 3513119870
parent 21bff18674
commit 3513119870
2 changed files with 47 additions and 1 deletions
--- a/pam-1.4.0-no_crypt_checksalt_for_pw_expiration.patch
+++ b/pam-1.4.0-no_crypt_checksalt_for_pw_expiration.patch
@ -0,0 +1,39 @@
+From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Thu, 10 Jun 2021 14:00:00 +0000
+Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for
+ password expiration
+
+According to Zack Weinberg, the intended meaning of
+CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
+method", it is not supposed to mean "force a password change on next
+login for any user with an existing stored hash using this method".
+
+This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
+
+* modules/pam_unix/passverify.c (check_shadow_expiry)
+[CRYPT_CHECKSALT_AVAILABLE]: Remove.
+
+Closes: https://github.com/linux-pam/linux-pam/issues/367
+---
+ modules/pam_unix/passverify.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index f6132f80..5a19ed85 100644
+--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
+@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
+ 		D(("account expired"));
+ 		return PAM_ACCT_EXPIRED;
+ 	}
+-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+-	if (spent->sp_lstchg == 0 ||
+-	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
+-	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
+-#else
+ 	if (spent->sp_lstchg == 0) {
+-#endif
+ 		D(("need a new password"));
+ 		*daysleft = 0;
+ 		return PAM_NEW_AUTHTOK_REQD;
--- a/pam.spec
+++ b/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.4.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -59,6 +59,8 @@ Patch62: pam-1.4.0-libpam-start-leak.patch
 Patch63: pam-1.4.0-drop-priv-initgroups.patch
 # https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb
 Patch64: pam-1.4.0-unix-blank-check-with-root.patch
+# https://github.com/linux-pam/linux-pam/pull/368
+Patch65: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.4.0-no_crypt_checksalt_for_pw_expiration.patch

 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@ -156,6 +158,7 @@ cp %{SOURCE18} .
 %patch62 -p1 -b .libpam-start-leak
 %patch63 -p1 -b .drop-priv-initgroups
 %patch64 -p1 -b .unix-blank-check-with-root
+%patch65 -p1 -b .no_crypt_checksalt_for_pw_expiration

 autoreconf -i

@ -415,6 +418,10 @@ done
 %doc doc/sag/*.txt doc/sag/html

 %changelog
+* Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.4.0-11
+- Add a patch to not use crypt_checksalt for password expiration
+  Resolves: #1965345, #1967150
+
 * Fri Dec  4 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-10
 - Add BuildRequires: make (#1902520)