diff options
Diffstat (limited to 'testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch')
-rw-r--r-- | testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch b/testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch new file mode 100644 index 00000000..8755cf60 --- /dev/null +++ b/testing/source/PAM/a/pam/fedora-patches/pam-1.3.1-unix-no-fallback.patch @@ -0,0 +1,105 @@ +Index: Linux-PAM-1.3.1/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- Linux-PAM-1.3.1.orig/modules/pam_unix/pam_unix.8.xml ++++ Linux-PAM-1.3.1/modules/pam_unix/pam_unix.8.xml +@@ -293,11 +293,10 @@ + <listitem> + <para> + When a user changes their password next, +- encrypt it with the SHA256 algorithm. If the +- SHA256 algorithm is not known to the <citerefentry> ++ encrypt it with the SHA256 algorithm. The ++ SHA256 algorithm must be supported by the <citerefentry> + <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> +- </citerefentry> function, +- fall back to MD5. ++ </citerefentry> function. + </para> + </listitem> + </varlistentry> +@@ -308,11 +307,10 @@ + <listitem> + <para> + When a user changes their password next, +- encrypt it with the SHA512 algorithm. If the +- SHA512 algorithm is not known to the <citerefentry> ++ encrypt it with the SHA512 algorithm. The ++ SHA512 algorithm must be supported by the <citerefentry> + <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> +- </citerefentry> function, +- fall back to MD5. ++ </citerefentry> function. + </para> + </listitem> + </varlistentry> +@@ -323,11 +321,10 @@ + <listitem> + <para> + When a user changes their password next, +- encrypt it with the blowfish algorithm. If the +- blowfish algorithm is not known to the <citerefentry> ++ encrypt it with the blowfish algorithm. The ++ blowfish algorithm must be supported by the <citerefentry> + <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> +- </citerefentry> function, +- fall back to MD5. ++ </citerefentry> function. + </para> + </listitem> + </varlistentry> +@@ -338,11 +335,10 @@ + <listitem> + <para> + When a user changes their password next, +- encrypt it with the gost-yescrypt algorithm. If the +- gost-yescrypt algorithm is not known to the <citerefentry> ++ encrypt it with the gost-yescrypt algorithm. The ++ gost-yescrypt algorithm must be supported by the <citerefentry> + <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> +- </citerefentry> function, +- fall back to MD5. ++ </citerefentry> function. + </para> + </listitem> + </varlistentry> +@@ -353,11 +349,10 @@ + <listitem> + <para> + When a user changes their password next, +- encrypt it with the yescrypt algorithm. If the +- yescrypt algorithm is not known to the <citerefentry> ++ encrypt it with the yescrypt algorithm. The ++ yescrypt algorithm must be supported by the <citerefentry> + <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum> +- </citerefentry> function, +- fall back to MD5. ++ </citerefentry> function. + </para> + </listitem> + </varlistentry> +Index: Linux-PAM-1.3.1/modules/pam_unix/passverify.c +=================================================================== +--- Linux-PAM-1.3.1.orig/modules/pam_unix/passverify.c ++++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c +@@ -466,10 +466,9 @@ PAMH_ARG_DECL(char * create_password_has + sp = crypt(password, salt); + #endif + if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { +- /* libxcrypt/libc doesn't know the algorithm, use MD5 */ ++ /* libxcrypt/libc doesn't know the algorithm, error out */ + pam_syslog(pamh, LOG_ERR, +- "Algo %s not supported by the crypto backend, " +- "falling back to MD5\n", ++ "Algo %s not supported by the crypto backend.\n", + on(UNIX_YESCRYPT_PASS, ctrl) ? "yescrypt" : + on(UNIX_GOST_YESCRYPT_PASS, ctrl) ? "gost_yescrypt" : + on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : +@@ -481,7 +480,7 @@ PAMH_ARG_DECL(char * create_password_has + #ifdef HAVE_CRYPT_R + free(cdata); + #endif +- return crypt_md5_wrapper(password); ++ return NULL; + } + sp = x_strdup(sp); + #ifdef HAVE_CRYPT_R |