- Add encryption_method_nis.diff:

- implement pam_unix2 functionality to use another hash for
    NIS passwords.

- Add pam_unix.diff:
  - fix if /etc/login.defs uses DES
  - ask always for old password if a NIS password will be changed

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=125

encryption_method_nis.diff

@@ -0,0 +1,77 @@
+diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
+index 0cfc0f4..2239206 100644
+--- a/modules/pam_unix/pam_unix_passwd.c
++++ b/modules/pam_unix/pam_unix_passwd.c
+@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 		 * rebuild the password database file.
+ 		 */
+ 
++
++		/* if it is a NIS account, check for special hash algo */
++		if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
++		  /* preset encryption method with value from /etc/login.defs */
++		  int j;
++		  char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
++		  if (val) {
++		    for (j = 0; j < UNIX_CTRLS_; ++j) {
++		      if (unix_args[j].token && unix_args[j].is_hash_algo
++			  && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
++			break;
++		      }
++		    }
++		    if (j >= UNIX_CTRLS_) {
++		      pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
++		    } else {
++		      ctrl &= unix_args[j].mask;  /* for turning things off */
++		      ctrl |= unix_args[j].flag;  /* for turning things on  */
++		    }
++		    free (val);
++		  }
++		}
++
+ 		/*
+ 		 * First we encrypt the new password.
+ 		 */
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index 19d72e6..dafa9f0 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -37,8 +37,8 @@
+ #define SELINUX_ENABLED 0
+ #endif
+ 
+-static char *
+-search_key (const char *key, const char *filename)
++char *
++_unix_search_key (const char *key, const char *filename)
+ {
+   FILE *fp;
+   char *buf = NULL;
+@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
+ 	}
+ 
+ 	/* preset encryption method with value from /etc/login.defs */
+-	val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
++	val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+ 	if (val) {
+ 	  for (j = 0; j < UNIX_CTRLS_; ++j) {
+ 	    if (unix_args[j].token && unix_args[j].is_hash_algo
+@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
+ 
+ 	  /* read number of rounds for crypt algo */
+ 	  if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
+-	    val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
++	    val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+ 
+ 	    if (val) {
+ 	      *rounds = strtol(val, NULL, 10);
+diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
+index 6f5b2eb..a35a8a8 100644
+--- a/modules/pam_unix/support.h
++++ b/modules/pam_unix/support.h
+@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh
+ 
+ extern int _unix_run_verify_binary(pam_handle_t *pamh,
+ 			unsigned int ctrl, const char *user, int *daysleft);
++extern char *_unix_search_key(const char *key, const char *filename);
+ #endif /* _PAM_UNIX_SUPPORT_H */

pam.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Nov 12 13:08:44 CET 2013 - kukuk@suse.de
+
+- Add encryption_method_nis.diff:
+  - implement pam_unix2 functionality to use another hash for
+    NIS passwords.
+
+-------------------------------------------------------------------
+Fri Nov  8 16:01:35 CET 2013 - kukuk@suse.de
+
+- Add pam_unix.diff:
+  - fix if /etc/login.defs uses DES
+  - ask always for old password if a NIS password will be changed
+
 -------------------------------------------------------------------
 Sat Sep 28 09:26:21 UTC 2013 - mc@suse.com
 

pam.spec

@@ -53,6 +53,8 @@ Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         fix-man-links.dif
+Patch1:         pam_unix.diff
+Patch2:         encryption_method_nis.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -97,6 +99,8 @@ building both PAM-aware applications and modules for use with PAM.
 %prep
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 export CFLAGS="%optflags -DNDEBUG"

pam_unix.diff

@@ -0,0 +1,37 @@
+diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
+index 6575938..6f5b2eb 100644
+--- a/modules/pam_unix/support.h
++++ b/modules/pam_unix/support.h
+@@ -97,8 +97,9 @@ typedef struct {
+ 					   password hash algorithms */
+ #define UNIX_BLOWFISH_PASS       26	/* new password hashes will use blowfish */
+ #define UNIX_MIN_PASS_LEN        27	/* min length for password */
++#define UNIX_DES                 28     /* DES, default */
+ /* -------------- */
+-#define UNIX_CTRLS_              28	/* number of ctrl arguments defined */
++#define UNIX_CTRLS_              29	/* number of ctrl arguments defined */
+ 
+ #define UNIX_DES_CRYPT(ctrl)	(off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+ 
+@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
+ /* UNIX_ALGO_ROUNDS */     {"rounds=",         _ALL_ON_,          0100000000, 0},
+ /* UNIX_BLOWFISH_PASS */   {"blowfish",    _ALL_ON_^(0260420000), 0200000000, 1},
+ /* UNIX_MIN_PASS_LEN */    {"minlen=",		_ALL_ON_,         0400000000, 0},
++/* UNIX_DES */             {"des",             _ALL_ON_^(0260420000),      0, 1},
+ };
+ 
+ #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
+diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
+index 9aae3b0..d5f2540 100644
+--- a/modules/pam_unix/pam_unix_passwd.c
++++ b/modules/pam_unix/pam_unix_passwd.c
+@@ -614,7 +614,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 
+ 		if (_unix_blankpasswd(pamh, ctrl, user)) {
+ 			return PAM_SUCCESS;
+-		} else if (off(UNIX__IAMROOT, ctrl)) {
++		} else if (off(UNIX__IAMROOT, ctrl) ||
++			   (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
+ 			/* instruct user what is happening */
+ 			if (asprintf(&Announce, _("Changing password for %s."),
+ 				user) < 0) {