- revert-check_shadow_expiry.diff: revert wrong

CRYPT_SALT_METHOD_LEGACY check.

- revert-check_shadow_expiry.diff: revert wrong
  CRYPT_SALT_METHOD_LEGACY check.

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=242

pam.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jul 13 13:40:00 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- revert-check_shadow_expiry.diff: revert wrong
+  CRYPT_SALT_METHOD_LEGACY check.
+
 -------------------------------------------------------------------
 Fri Jun 25 08:07:04 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
 

pam.spec

@@ -61,6 +61,7 @@ Patch10:        pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
 Patch11:        bsc1184358-prevent-LOCAL-from-being-resolved.patch
 # https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068
 Patch100:       pam_securetty-don-t-complain-about-missing-config.patch
+Patch101:       revert-check_shadow_expiry.diff
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
@@ -172,6 +173,7 @@ cp -a %{SOURCE12} .
 %patch10 -p1
 %patch11 -p1
 %patch100 -p1
+%patch101 -p1
 
 %build
 bash ./pam-login_defs-check.sh
@@ -191,7 +193,7 @@ CFLAGS="$CFLAGS -DNDEBUG"
 	--enable-debug \
 %endif
 	--enable-tally2 --enable-cracklib
-make %{?_smp_mflags}
+%make_build
 gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
 
 %check

pam_unix-nis.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jul 13 13:40:54 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- revert-check_shadow_expiry.diff: revert wrong
+  CRYPT_SALT_METHOD_LEGACY check.
+
 -------------------------------------------------------------------
 Wed Jun  9 14:02:02 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
 

pam_unix-nis.spec

@@ -36,6 +36,7 @@ URL:            http://www.linux-pam.org/
 Source:         Linux-PAM-%{version}.tar.xz
 Source9:        baselibs.conf
 Patch:          Makefile-pam_unix-nis.diff
+Patch1:         revert-check_shadow_expiry.diff
 BuildRequires:  pam-devel
 %if 0%{?suse_version} > 1320
 BuildRequires:  pkgconfig(libeconf)
@@ -57,6 +58,7 @@ module has NIS support.
 %prep
 %setup -q -n Linux-PAM-%{version}
 %patch -p1
+%patch1 -p1
 
 %build
 export CFLAGS="%{optflags} -DNDEBUG"

revert-check_shadow_expiry.diff

@@ -0,0 +1,31 @@
+pam_unix: do not use crypt_checksalt when checking for password expiration
+
+According to Zack Weinberg, the intended meaning of
+CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
+method", it is not supposed to mean "force a password change on next
+login for any user with an existing stored hash using this method".
+
+This reverts commit 4da9feb.
+
+* modules/pam_unix/passverify.c (check_shadow_expiry)
+[CRYPT_CHECKSALT_AVAILABLE]: Remove.
+
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index f6132f805..5a19ed856 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
+ 		D(("account expired"));
+ 		return PAM_ACCT_EXPIRED;
+ 	}
+-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+-	if (spent->sp_lstchg == 0 ||
+-	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
+-	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
+-#else
+ 	if (spent->sp_lstchg == 0) {
+-#endif
+ 		D(("need a new password"));
+ 		*daysleft = 0;
+ 		return PAM_NEW_AUTHTOK_REQD;