Add a patch to not use crypt_checksalt for password expiration
Resolves: #1965345, #1967150
This commit is contained in:
parent
21bff18674
commit
3513119870
|
@ -0,0 +1,39 @@
|
|||
From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Thu, 10 Jun 2021 14:00:00 +0000
|
||||
Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for
|
||||
password expiration
|
||||
|
||||
According to Zack Weinberg, the intended meaning of
|
||||
CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
|
||||
method", it is not supposed to mean "force a password change on next
|
||||
login for any user with an existing stored hash using this method".
|
||||
|
||||
This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
|
||||
|
||||
* modules/pam_unix/passverify.c (check_shadow_expiry)
|
||||
[CRYPT_CHECKSALT_AVAILABLE]: Remove.
|
||||
|
||||
Closes: https://github.com/linux-pam/linux-pam/issues/367
|
||||
---
|
||||
modules/pam_unix/passverify.c | 6 ------
|
||||
1 file changed, 6 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
||||
index f6132f80..5a19ed85 100644
|
||||
--- a/modules/pam_unix/passverify.c
|
||||
+++ b/modules/pam_unix/passverify.c
|
||||
@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
|
||||
D(("account expired"));
|
||||
return PAM_ACCT_EXPIRED;
|
||||
}
|
||||
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
|
||||
- if (spent->sp_lstchg == 0 ||
|
||||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
|
||||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
|
||||
-#else
|
||||
if (spent->sp_lstchg == 0) {
|
||||
-#endif
|
||||
D(("need a new password"));
|
||||
*daysleft = 0;
|
||||
return PAM_NEW_AUTHTOK_REQD;
|
9
pam.spec
9
pam.spec
|
@ -3,7 +3,7 @@
|
|||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.4.0
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
|
@ -59,6 +59,8 @@ Patch62: pam-1.4.0-libpam-start-leak.patch
|
|||
Patch63: pam-1.4.0-drop-priv-initgroups.patch
|
||||
# https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb
|
||||
Patch64: pam-1.4.0-unix-blank-check-with-root.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/368
|
||||
Patch65: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.4.0-no_crypt_checksalt_for_pw_expiration.patch
|
||||
|
||||
%global _pamlibdir %{_libdir}
|
||||
%global _moduledir %{_libdir}/security
|
||||
|
@ -156,6 +158,7 @@ cp %{SOURCE18} .
|
|||
%patch62 -p1 -b .libpam-start-leak
|
||||
%patch63 -p1 -b .drop-priv-initgroups
|
||||
%patch64 -p1 -b .unix-blank-check-with-root
|
||||
%patch65 -p1 -b .no_crypt_checksalt_for_pw_expiration
|
||||
|
||||
autoreconf -i
|
||||
|
||||
|
@ -415,6 +418,10 @@ done
|
|||
%doc doc/sag/*.txt doc/sag/html
|
||||
|
||||
%changelog
|
||||
* Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.4.0-11
|
||||
- Add a patch to not use crypt_checksalt for password expiration
|
||||
Resolves: #1965345, #1967150
|
||||
|
||||
* Fri Dec 4 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-10
|
||||
- Add BuildRequires: make (#1902520)
|
||||
|
||||
|
|
Loading…
Reference in New Issue