SHA256
1
0
forked from pool/pam
pam/encryption_method_nis.diff
Thorsten Kukuk e2cdd21691 - Add encryption_method_nis.diff:
- implement pam_unix2 functionality to use another hash for
    NIS passwords.

- Add pam_unix.diff:
  - fix if /etc/login.defs uses DES
  - ask always for old password if a NIS password will be changed

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=125
2013-11-12 12:46:50 +00:00

78 lines
2.8 KiB
Diff

diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 0cfc0f4..2239206 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
* rebuild the password database file.
*/
+
+ /* if it is a NIS account, check for special hash algo */
+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
+ /* preset encryption method with value from /etc/login.defs */
+ int j;
+ char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
+ if (val) {
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+ if (unix_args[j].token && unix_args[j].is_hash_algo
+ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
+ break;
+ }
+ }
+ if (j >= UNIX_CTRLS_) {
+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
+ } else {
+ ctrl &= unix_args[j].mask; /* for turning things off */
+ ctrl |= unix_args[j].flag; /* for turning things on */
+ }
+ free (val);
+ }
+ }
+
/*
* First we encrypt the new password.
*/
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 19d72e6..dafa9f0 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -37,8 +37,8 @@
#define SELINUX_ENABLED 0
#endif
-static char *
-search_key (const char *key, const char *filename)
+char *
+_unix_search_key (const char *key, const char *filename)
{
FILE *fp;
char *buf = NULL;
@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
}
/* preset encryption method with value from /etc/login.defs */
- val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+ val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
if (val) {
for (j = 0; j < UNIX_CTRLS_; ++j) {
if (unix_args[j].token && unix_args[j].is_hash_algo
@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
/* read number of rounds for crypt algo */
if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
- val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+ val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
if (val) {
*rounds = strtol(val, NULL, 10);
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 6f5b2eb..a35a8a8 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh
extern int _unix_run_verify_binary(pam_handle_t *pamh,
unsigned int ctrl, const char *user, int *daysleft);
+extern char *_unix_search_key(const char *key, const char *filename);
#endif /* _PAM_UNIX_SUPPORT_H */