diff --git a/encryption_method_nis.diff b/encryption_method_nis.diff new file mode 100644 index 0000000..55980bf --- /dev/null +++ b/encryption_method_nis.diff @@ -0,0 +1,77 @@ +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index 0cfc0f4..2239206 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) + * rebuild the password database file. + */ + ++ ++ /* if it is a NIS account, check for special hash algo */ ++ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) { ++ /* preset encryption method with value from /etc/login.defs */ ++ int j; ++ char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS); ++ if (val) { ++ for (j = 0; j < UNIX_CTRLS_; ++j) { ++ if (unix_args[j].token && unix_args[j].is_hash_algo ++ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { ++ break; ++ } ++ } ++ if (j >= UNIX_CTRLS_) { ++ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val); ++ } else { ++ ctrl &= unix_args[j].mask; /* for turning things off */ ++ ctrl |= unix_args[j].flag; /* for turning things on */ ++ } ++ free (val); ++ } ++ } ++ + /* + * First we encrypt the new password. + */ +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index 19d72e6..dafa9f0 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -37,8 +37,8 @@ + #define SELINUX_ENABLED 0 + #endif + +-static char * +-search_key (const char *key, const char *filename) ++char * ++_unix_search_key (const char *key, const char *filename) + { + FILE *fp; + char *buf = NULL; +@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, + } + + /* preset encryption method with value from /etc/login.defs */ +- val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS); ++ val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS); + if (val) { + for (j = 0; j < UNIX_CTRLS_; ++j) { + if (unix_args[j].token && unix_args[j].is_hash_algo +@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, + + /* read number of rounds for crypt algo */ + if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) { +- val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); ++ val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); + + if (val) { + *rounds = strtol(val, NULL, 10); +diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h +index 6f5b2eb..a35a8a8 100644 +--- a/modules/pam_unix/support.h ++++ b/modules/pam_unix/support.h +@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh + + extern int _unix_run_verify_binary(pam_handle_t *pamh, + unsigned int ctrl, const char *user, int *daysleft); ++extern char *_unix_search_key(const char *key, const char *filename); + #endif /* _PAM_UNIX_SUPPORT_H */ diff --git a/pam.changes b/pam.changes index 69b9d20..2e45a7d 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Nov 12 13:08:44 CET 2013 - kukuk@suse.de + +- Add encryption_method_nis.diff: + - implement pam_unix2 functionality to use another hash for + NIS passwords. + +------------------------------------------------------------------- +Fri Nov 8 16:01:35 CET 2013 - kukuk@suse.de + +- Add pam_unix.diff: + - fix if /etc/login.defs uses DES + - ask always for old password if a NIS password will be changed + ------------------------------------------------------------------- Sat Sep 28 09:26:21 UTC 2013 - mc@suse.com diff --git a/pam.spec b/pam.spec index 31955c5..6aa9047 100644 --- a/pam.spec +++ b/pam.spec @@ -53,6 +53,8 @@ Source7: common-session.pamd Source8: etc.environment Source9: baselibs.conf Patch0: fix-man-links.dif +Patch1: pam_unix.diff +Patch2: encryption_method_nis.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -97,6 +99,8 @@ building both PAM-aware applications and modules for use with PAM. %prep %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build export CFLAGS="%optflags -DNDEBUG" diff --git a/pam_unix.diff b/pam_unix.diff new file mode 100644 index 0000000..39bcb29 --- /dev/null +++ b/pam_unix.diff @@ -0,0 +1,37 @@ +diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h +index 6575938..6f5b2eb 100644 +--- a/modules/pam_unix/support.h ++++ b/modules/pam_unix/support.h +@@ -97,8 +97,9 @@ typedef struct { + password hash algorithms */ + #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ + #define UNIX_MIN_PASS_LEN 27 /* min length for password */ ++#define UNIX_DES 28 /* DES, default */ + /* -------------- */ +-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) + +@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = + /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, + /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, + /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, ++/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index 9aae3b0..d5f2540 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -614,7 +614,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) + + if (_unix_blankpasswd(pamh, ctrl, user)) { + return PAM_SUCCESS; +- } else if (off(UNIX__IAMROOT, ctrl)) { ++ } else if (off(UNIX__IAMROOT, ctrl) || ++ (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) { + /* instruct user what is happening */ + if (asprintf(&Announce, _("Changing password for %s."), + user) < 0) {