1
This is roughly an upstream patch version 1.15 of support.c
2
and 1.9 of unix_chkpwd.c
3
However those patches conflicted with the password aging stuff and the password aging stuff was wrong for unix_chkpwd,
4
so this patch depends on the Debian pam_unix patch and changes that patch.
7
Index: Linux-PAM/modules/pam_unix/support.c
8
===================================================================
9
RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/modules/pam_unix/support.c,v
10
retrieving revision 1.6
11
diff -u -r1.6 support.c
12
--- Linux-PAM/modules/pam_unix/support.c 21 Sep 2002 18:35:57 -0000 1.6
13
+++ Linux-PAM/modules/pam_unix/support.c 15 Oct 2002 14:21:11 -0000
15
retval = PAM_AUTHINFO_UNAVAIL;
18
- if (!strlen(salt)) {
19
- /* the stored password is NULL */
20
- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
21
- D(("user has empty password - access granted"));
22
- retval = PAM_SUCCESS;
24
- D(("user has empty password - access denied"));
25
- retval = PAM_AUTH_ERR;
28
- retval = PAM_AUTH_ERR;
29
+ int salt_len = strlen(salt);
31
+ /* the stored password is NULL */
32
+ if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
33
+ D(("user has empty password - access granted"));
34
+ retval = PAM_SUCCESS;
36
+ D(("user has empty password - access denied"));
37
+ retval = PAM_AUTH_ERR;
39
+ } else if (!p || (*salt == '*') || (salt_len < 13)) {
40
+ retval = PAM_AUTH_ERR;
42
/* Hack off sysv pw aging foo */
43
if (strrchr(salt, ',')) *(strrchr(salt, ',')) = '\0';
44
- if (!strncmp(salt, "$1$", 3)) {
45
- pp = Goodcrypt_md5(p, salt);
46
- if (strcmp(pp, salt) != 0) {
48
- pp = Brokencrypt_md5(p, salt);
51
- pp = bigcrypt(p, salt);
53
- p = NULL; /* no longer needed here */
54
+ if (!strncmp(salt, "$1$", 3)) {
55
+ pp = Goodcrypt_md5(p, salt);
56
+ if (strcmp(pp, salt) != 0) {
58
+ pp = Brokencrypt_md5(p, salt);
61
+ pp = bigcrypt(p, salt);
63
+ p = NULL; /* no longer needed here */
65
- /* the moment of truth -- do we agree with the password? */
66
- D(("comparing state of pp[%s] and salt[%s]", pp, salt));
67
+ /* the moment of truth -- do we agree with the password? */
68
+ D(("comparing state of pp[%s] and salt[%s]", pp, salt));
71
- * Note, we are comparing the bigcrypt of the password with
72
- * the contents of the password field. If the latter was
73
- * encrypted with regular crypt (and not bigcrypt) it will
74
- * have been truncated for storage relative to the output
75
- * of bigcrypt here. As such we need to compare only the
76
- * stored string with the subset of bigcrypt's result.
77
- * Bug 521314: The strncmp comparison is for legacy support.
79
- if (strncmp(pp, salt, strlen(salt)) == 0) {
80
- retval = PAM_SUCCESS;
82
- retval = PAM_AUTH_ERR;
85
+ * Note, we are comparing the bigcrypt of the password with
86
+ * the contents of the password field. If the latter was
87
+ * encrypted with regular crypt (and not bigcrypt) it will
88
+ * have been truncated for storage relative to the output
89
+ * of bigcrypt here. As such we need to compare only the
90
+ * stored string with the subset of bigcrypt's result.
91
+ * Bug 521314: The strncmp comparison is for legacy support.
93
+ if (strncmp(pp, salt, salt_len) == 0) {
94
+ retval = PAM_SUCCESS;
96
+ retval = PAM_AUTH_ERR;
101
if (retval == PAM_SUCCESS) {
102
Index: Linux-PAM/modules/pam_unix/unix_chkpwd.c
103
===================================================================
104
RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/modules/pam_unix/unix_chkpwd.c,v
105
retrieving revision 1.10
106
diff -u -r1.10 unix_chkpwd.c
107
--- Linux-PAM/modules/pam_unix/unix_chkpwd.c 21 Sep 2002 18:35:58 -0000 1.10
108
+++ Linux-PAM/modules/pam_unix/unix_chkpwd.c 15 Oct 2002 14:21:11 -0000
112
int retval = UNIX_FAILED;
115
/* UNIX passwords area */
121
- if (strlen(salt) == 0)
122
+ salt_len = strlen(salt);
123
+ if (salt_len == 0) {
124
return (opt == 0) ? UNIX_FAILED : UNIX_PASSED;
126
else if (p == NULL || strlen(p) == 0)
133
- if ((tmp = strrchr(p, ',')) != NULL) *tmp = '\0';
134
+ if ((tmp = strrchr(salt, ',')) != NULL) *tmp = '\0';
137
/* the moment of truth -- do we agree with the password? */
139
if (strcmp(pp, salt) == 0)
140
retval = UNIX_PASSED;
142
+ } else if ((*salt == '*') || (salt_len < 13)) {
143
+ retval = UNIX_FAILED;
145
pp = bigcrypt(p, salt);
148
* stored string with the subset of bigcrypt's result.
149
* Bug 521314: the strncmp comparison is for legacy support.
151
- if (strncmp(pp, salt, strlen(salt)) == 0) {
152
+ if (strncmp(pp, salt, salt_len) == 0) {
153
retval = UNIX_PASSED;