Add support for SHA256 and SHA512 encrypt methods. Apply RedHat's patch
shadow-4.0.18.1-sha256.patch. Thanks to Peter Vrabec. Hardly no changes except re-indent and changes related to recent modifications (max_salt_len in crypt_make_salt). Changes in lib/defines.h not applied (definition of ENCRYPTMETHOD_SELECT). I will add a configure check or flag.
This commit is contained in:
parent
cfc3378a0b
commit
b8d8d0de00
10
ChangeLog
10
ChangeLog
@ -1,3 +1,13 @@
|
|||||||
|
2007-11-19 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
|
* NEWS, libmisc/obscure.c, libmisc/salt.c, src/passwd.c,
|
||||||
|
lib/getdef.c, etc/login.defs: Add support for SHA256 and SHA512
|
||||||
|
encrypt methods. Apply RedHat's patch shadow-4.0.18.1-sha256.patch.
|
||||||
|
Thanks to Peter Vrabec. Hardly no changes except re-indent and
|
||||||
|
changes related to recent modifications (max_salt_len in
|
||||||
|
crypt_make_salt). Changes in lib/defines.h not applied (definition
|
||||||
|
of ENCRYPTMETHOD_SELECT). I will add a configure check or flag.
|
||||||
|
|
||||||
2007-11-19 Nicolas François <nicolas.francois@centraliens.net>
|
2007-11-19 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
* man/de/Makefile.am: Add su.1 to the generated manpages.
|
* man/de/Makefile.am: Add su.1 to the generated manpages.
|
||||||
|
2
NEWS
2
NEWS
@ -3,6 +3,8 @@ $Id$
|
|||||||
shadow-4.0.18.1 -> shadow-4.0.18.2 UNRELEASED
|
shadow-4.0.18.1 -> shadow-4.0.18.2 UNRELEASED
|
||||||
|
|
||||||
*** general:
|
*** general:
|
||||||
|
- Add support for SHA256 and SHA512 encrypt methods (supported by new
|
||||||
|
libc).
|
||||||
- useradd: Allow non numerical group identifier to be specified with
|
- useradd: Allow non numerical group identifier to be specified with
|
||||||
useradd's -g option.
|
useradd's -g option.
|
||||||
- chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow.
|
- chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow.
|
||||||
|
@ -278,6 +278,16 @@ CHFN_RESTRICT rwh
|
|||||||
#
|
#
|
||||||
#MD5_CRYPT_ENAB no
|
#MD5_CRYPT_ENAB no
|
||||||
|
|
||||||
|
#
|
||||||
|
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
|
||||||
|
# If set to MD5 , MD5-based algorithm will be used for encrypting password
|
||||||
|
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||||
|
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||||
|
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||||
|
# Overrides the MD5_CRYPT_ENAB option
|
||||||
|
#
|
||||||
|
#ENCRYPT_METHOD DES
|
||||||
|
|
||||||
#
|
#
|
||||||
# List of groups to add to the user's supplementary group set
|
# List of groups to add to the user's supplementary group set
|
||||||
# when logging in on the console (as determined by the CONSOLE
|
# when logging in on the console (as determined by the CONSOLE
|
||||||
|
@ -84,6 +84,7 @@ static struct itemdef def_table[] = {
|
|||||||
{"CHFN_AUTH", NULL},
|
{"CHFN_AUTH", NULL},
|
||||||
{"CHSH_AUTH", NULL},
|
{"CHSH_AUTH", NULL},
|
||||||
{"CRACKLIB_DICTPATH", NULL},
|
{"CRACKLIB_DICTPATH", NULL},
|
||||||
|
{"ENCRYPT_METHOD", NULL},
|
||||||
{"ENV_HZ", NULL},
|
{"ENV_HZ", NULL},
|
||||||
{"ENVIRON_FILE", NULL},
|
{"ENVIRON_FILE", NULL},
|
||||||
{"ENV_TZ", NULL},
|
{"ENV_TZ", NULL},
|
||||||
|
@ -210,6 +210,9 @@ static const char *password_check (const char *old, const char *new,
|
|||||||
int maxlen, oldlen, newlen;
|
int maxlen, oldlen, newlen;
|
||||||
char *new1, *old1;
|
char *new1, *old1;
|
||||||
const char *msg;
|
const char *msg;
|
||||||
|
#ifdef ENCRYPTMETHOD_SELECT
|
||||||
|
char *result;
|
||||||
|
#endif
|
||||||
|
|
||||||
oldlen = strlen (old);
|
oldlen = strlen (old);
|
||||||
newlen = strlen (new);
|
newlen = strlen (new);
|
||||||
@ -227,6 +230,9 @@ static const char *password_check (const char *old, const char *new,
|
|||||||
if (msg)
|
if (msg)
|
||||||
return msg;
|
return msg;
|
||||||
|
|
||||||
|
#ifdef ENCRYPTMETHOD_SELECT
|
||||||
|
if ((result = getdef_str ("ENCRYPT_METHOD")) == NULL) {
|
||||||
|
#endif
|
||||||
/* The traditional crypt() truncates passwords to 8 chars. It is
|
/* The traditional crypt() truncates passwords to 8 chars. It is
|
||||||
possible to circumvent the above checks by choosing an easy
|
possible to circumvent the above checks by choosing an easy
|
||||||
8-char password and adding some random characters to it...
|
8-char password and adding some random characters to it...
|
||||||
@ -234,8 +240,18 @@ static const char *password_check (const char *old, const char *new,
|
|||||||
truncated to the maximum length. Idea from npasswd. --marekm */
|
truncated to the maximum length. Idea from npasswd. --marekm */
|
||||||
|
|
||||||
if (getdef_bool ("MD5_CRYPT_ENAB"))
|
if (getdef_bool ("MD5_CRYPT_ENAB"))
|
||||||
return NULL; /* unlimited password length */
|
return NULL;
|
||||||
|
|
||||||
|
#ifdef ENCRYPTMETHOD_SELECT
|
||||||
|
} else {
|
||||||
|
|
||||||
|
if (!strncmp (result, "MD5" , 3) ||
|
||||||
|
!strncmp (result, "SHA256", 6) ||
|
||||||
|
!strncmp (result, "SHA512", 6))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
}
|
||||||
|
#endif
|
||||||
maxlen = getdef_num ("PASS_MAX_LEN", 8);
|
maxlen = getdef_num ("PASS_MAX_LEN", 8);
|
||||||
if (oldlen <= maxlen && newlen <= maxlen)
|
if (oldlen <= maxlen && newlen <= maxlen)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -58,20 +58,44 @@ char *l64a(long value)
|
|||||||
* (magic) and pw_encrypt() will execute the MD5-based FreeBSD-compatible
|
* (magic) and pw_encrypt() will execute the MD5-based FreeBSD-compatible
|
||||||
* version of crypt() instead of the standard one.
|
* version of crypt() instead of the standard one.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#define MAGNUM(array,ch) (array)[0]= (array)[2] = '$',(array)[1]=(ch)
|
||||||
|
|
||||||
char *crypt_make_salt (void)
|
char *crypt_make_salt (void)
|
||||||
{
|
{
|
||||||
struct timeval tv;
|
struct timeval tv;
|
||||||
static char result[40];
|
static char result[40];
|
||||||
int max_salt_len = 8;
|
int max_salt_len = 8;
|
||||||
|
char *method;
|
||||||
|
|
||||||
result[0] = '\0';
|
|
||||||
#ifndef USE_PAM
|
#ifndef USE_PAM
|
||||||
if (getdef_bool ("MD5_CRYPT_ENAB")) {
|
|
||||||
strcpy (result, "$1$"); /* magic for the new MD5 crypt() */
|
|
||||||
max_salt_len += 3;
|
max_salt_len += 3;
|
||||||
}
|
#ifdef ENCRYPTMETHOD_SELECT
|
||||||
|
if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) {
|
||||||
#endif
|
#endif
|
||||||
|
if (getdef_bool ("MD5_CRYPT_ENAB")) {
|
||||||
|
MAGNUM(result,'1');
|
||||||
|
max_salt_len = 11;
|
||||||
|
} else
|
||||||
|
result[0] = '\0';
|
||||||
|
#ifdef ENCRYPTMETHOD_SELECT
|
||||||
|
} else {
|
||||||
|
if (!strncmp (method, "MD5", 3)) {
|
||||||
|
MAGNUM(result, '1');
|
||||||
|
max_salt_len = 11;
|
||||||
|
} else if (!strncmp (method, "SHA256", 6)) {
|
||||||
|
MAGNUM(result, '5');
|
||||||
|
max_salt_len = 11; /* XXX: should not be fixed */
|
||||||
|
} else if (!strncmp (method, "SHA512", 6)) {
|
||||||
|
MAGNUM(result, '6');
|
||||||
|
max_salt_len = 11; /* XXX: should not be fixed */
|
||||||
|
} else if (!strncmp (method, "DES", 3))
|
||||||
|
result[0] = '\0';
|
||||||
|
else
|
||||||
|
result[0] = '\0';
|
||||||
|
}
|
||||||
|
#endif /* ENCRYPTMETHOD_SELECT */
|
||||||
|
#endif /* USE_PAM */
|
||||||
/*
|
/*
|
||||||
* Generate 8 chars of salt, the old crypt() will use only first 2.
|
* Generate 8 chars of salt, the old crypt() will use only first 2.
|
||||||
*/
|
*/
|
||||||
|
38
src/passwd.c
38
src/passwd.c
@ -190,7 +190,10 @@ static int new_password (const struct passwd *pw)
|
|||||||
char pass[200]; /* New password */
|
char pass[200]; /* New password */
|
||||||
int i; /* Counter for retries */
|
int i; /* Counter for retries */
|
||||||
int warned;
|
int warned;
|
||||||
int pass_max_len;
|
int pass_max_len = -1;
|
||||||
|
#ifdef ENCRYPTMETHOD_SELECT
|
||||||
|
char *method;
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef HAVE_LIBCRACK_HIST
|
#ifdef HAVE_LIBCRACK_HIST
|
||||||
int HistUpdate (const char *, const char *);
|
int HistUpdate (const char *, const char *);
|
||||||
@ -228,15 +231,34 @@ static int new_password (const struct passwd *pw)
|
|||||||
* for strength, unless it is the root user. This provides an escape
|
* for strength, unless it is the root user. This provides an escape
|
||||||
* for initial login passwords.
|
* for initial login passwords.
|
||||||
*/
|
*/
|
||||||
if (getdef_bool ("MD5_CRYPT_ENAB"))
|
#ifdef ENCRYPTMETHOD_SELECT
|
||||||
pass_max_len = 127;
|
if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) {
|
||||||
|
#endif
|
||||||
|
if (!getdef_bool ("MD5_CRYPT_ENAB"))
|
||||||
|
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
|
||||||
|
#ifdef ENCRYPTMETHOD_SELECT
|
||||||
|
} else {
|
||||||
|
if (!strncmp (method, "MD5" , 3) ||
|
||||||
|
!strncmp (method, "SHA256", 6) ||
|
||||||
|
!strncmp (method, "SHA512", 6))
|
||||||
|
pass_max_len = -1;
|
||||||
else
|
else
|
||||||
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
|
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
|
||||||
|
}
|
||||||
if (!qflg)
|
#endif
|
||||||
printf (_("\
|
if (!qflg) {
|
||||||
Enter the new password (minimum of %d, maximum of %d characters)\n\
|
if (pass_max_len == -1) {
|
||||||
Please use a combination of upper and lower case letters and numbers.\n"), getdef_num ("PASS_MIN_LEN", 5), pass_max_len);
|
printf (_(
|
||||||
|
"Enter the new password (minimum of %d characters)\n"
|
||||||
|
"Please use a combination of upper and lower case letters and numbers.\n"),
|
||||||
|
getdef_num ("PASS_MIN_LEN", 5));
|
||||||
|
} else {
|
||||||
|
printf (_(
|
||||||
|
"Enter the new password (minimum of %d, maximum of %d characters)\n"
|
||||||
|
"Please use a combination of upper and lower case letters and numbers.\n"),
|
||||||
|
getdef_num ("PASS_MIN_LEN", 5), pass_max_len);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
warned = 0;
|
warned = 0;
|
||||||
for (i = getdef_num ("PASS_CHANGE_TRIES", 5); i > 0; i--) {
|
for (i = getdef_num ("PASS_CHANGE_TRIES", 5); i > 0; i--) {
|
||||||
|
Loading…
Reference in New Issue
Block a user