[Pkg-shadow-commits] r1409 - in upstream/trunk: . etc lib libmisc src
nekral-guest at alioth.debian.org
nekral-guest at alioth.debian.org
Mon Nov 19 22:14:20 UTC 2007
Author: nekral-guest
Date: 2007-11-19 22:14:19 +0000 (Mon, 19 Nov 2007)
New Revision: 1409
Modified:
upstream/trunk/ChangeLog
upstream/trunk/NEWS
upstream/trunk/etc/login.defs
upstream/trunk/lib/getdef.c
upstream/trunk/libmisc/obscure.c
upstream/trunk/libmisc/salt.c
upstream/trunk/src/passwd.c
Log:
Add support for SHA256 and SHA512 encrypt methods. Apply RedHat's patch
shadow-4.0.18.1-sha256.patch. Thanks to Peter Vrabec. Hardly no changes
except re-indent and changes related to recent modifications (max_salt_len
in crypt_make_salt). Changes in lib/defines.h not applied (definition of
ENCRYPTMETHOD_SELECT). I will add a configure check or flag.
Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog 2007-11-19 20:33:39 UTC (rev 1408)
+++ upstream/trunk/ChangeLog 2007-11-19 22:14:19 UTC (rev 1409)
@@ -1,5 +1,15 @@
2007-11-19 Nicolas François <nicolas.francois at centraliens.net>
+ * NEWS, libmisc/obscure.c, libmisc/salt.c, src/passwd.c,
+ lib/getdef.c, etc/login.defs: Add support for SHA256 and SHA512
+ encrypt methods. Apply RedHat's patch shadow-4.0.18.1-sha256.patch.
+ Thanks to Peter Vrabec. Hardly no changes except re-indent and
+ changes related to recent modifications (max_salt_len in
+ crypt_make_salt). Changes in lib/defines.h not applied (definition
+ of ENCRYPTMETHOD_SELECT). I will add a configure check or flag.
+
+2007-11-19 Nicolas François <nicolas.francois at centraliens.net>
+
* man/de/Makefile.am: Add su.1 to the generated manpages.
* man/fr/Makefile.am: Add id.1 to EXTRA_DIST. It will be
generated.
Modified: upstream/trunk/NEWS
===================================================================
--- upstream/trunk/NEWS 2007-11-19 20:33:39 UTC (rev 1408)
+++ upstream/trunk/NEWS 2007-11-19 22:14:19 UTC (rev 1409)
@@ -3,6 +3,8 @@
shadow-4.0.18.1 -> shadow-4.0.18.2 UNRELEASED
*** general:
+- Add support for SHA256 and SHA512 encrypt methods (supported by new
+ libc).
- useradd: Allow non numerical group identifier to be specified with
useradd's -g option.
- chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow.
Modified: upstream/trunk/etc/login.defs
===================================================================
--- upstream/trunk/etc/login.defs 2007-11-19 20:33:39 UTC (rev 1408)
+++ upstream/trunk/etc/login.defs 2007-11-19 22:14:19 UTC (rev 1409)
@@ -279,6 +279,16 @@
#MD5_CRYPT_ENAB no
#
+# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
+# If set to MD5 , MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# Overrides the MD5_CRYPT_ENAB option
+#
+#ENCRYPT_METHOD DES
+
+#
# List of groups to add to the user's supplementary group set
# when logging in on the console (as determined by the CONSOLE
# setting). Default is none.
Modified: upstream/trunk/lib/getdef.c
===================================================================
--- upstream/trunk/lib/getdef.c 2007-11-19 20:33:39 UTC (rev 1408)
+++ upstream/trunk/lib/getdef.c 2007-11-19 22:14:19 UTC (rev 1409)
@@ -84,6 +84,7 @@
{"CHFN_AUTH", NULL},
{"CHSH_AUTH", NULL},
{"CRACKLIB_DICTPATH", NULL},
+ {"ENCRYPT_METHOD", NULL},
{"ENV_HZ", NULL},
{"ENVIRON_FILE", NULL},
{"ENV_TZ", NULL},
Modified: upstream/trunk/libmisc/obscure.c
===================================================================
--- upstream/trunk/libmisc/obscure.c 2007-11-19 20:33:39 UTC (rev 1408)
+++ upstream/trunk/libmisc/obscure.c 2007-11-19 22:14:19 UTC (rev 1409)
@@ -210,6 +210,9 @@
int maxlen, oldlen, newlen;
char *new1, *old1;
const char *msg;
+#ifdef ENCRYPTMETHOD_SELECT
+ char *result;
+#endif
oldlen = strlen (old);
newlen = strlen (new);
@@ -227,15 +230,28 @@
if (msg)
return msg;
+#ifdef ENCRYPTMETHOD_SELECT
+ if ((result = getdef_str ("ENCRYPT_METHOD")) == NULL) {
+#endif
/* The traditional crypt() truncates passwords to 8 chars. It is
possible to circumvent the above checks by choosing an easy
8-char password and adding some random characters to it...
Example: "password$%^&*123". So check it again, this time
truncated to the maximum length. Idea from npasswd. --marekm */
- if (getdef_bool ("MD5_CRYPT_ENAB"))
- return NULL; /* unlimited password length */
+ if (getdef_bool ("MD5_CRYPT_ENAB"))
+ return NULL;
+#ifdef ENCRYPTMETHOD_SELECT
+ } else {
+
+ if (!strncmp (result, "MD5" , 3) ||
+ !strncmp (result, "SHA256", 6) ||
+ !strncmp (result, "SHA512", 6))
+ return NULL;
+
+ }
+#endif
maxlen = getdef_num ("PASS_MAX_LEN", 8);
if (oldlen <= maxlen && newlen <= maxlen)
return NULL;
Modified: upstream/trunk/libmisc/salt.c
===================================================================
--- upstream/trunk/libmisc/salt.c 2007-11-19 20:33:39 UTC (rev 1408)
+++ upstream/trunk/libmisc/salt.c 2007-11-19 22:14:19 UTC (rev 1409)
@@ -58,20 +58,44 @@
* (magic) and pw_encrypt() will execute the MD5-based FreeBSD-compatible
* version of crypt() instead of the standard one.
*/
+
+#define MAGNUM(array,ch) (array)[0]= (array)[2] = '$',(array)[1]=(ch)
+
char *crypt_make_salt (void)
{
struct timeval tv;
static char result[40];
int max_salt_len = 8;
+ char *method;
- result[0] = '\0';
#ifndef USE_PAM
- if (getdef_bool ("MD5_CRYPT_ENAB")) {
- strcpy (result, "$1$"); /* magic for the new MD5 crypt() */
max_salt_len += 3;
+#ifdef ENCRYPTMETHOD_SELECT
+ if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) {
+#endif
+ if (getdef_bool ("MD5_CRYPT_ENAB")) {
+ MAGNUM(result,'1');
+ max_salt_len = 11;
+ } else
+ result[0] = '\0';
+#ifdef ENCRYPTMETHOD_SELECT
+ } else {
+ if (!strncmp (method, "MD5", 3)) {
+ MAGNUM(result, '1');
+ max_salt_len = 11;
+ } else if (!strncmp (method, "SHA256", 6)) {
+ MAGNUM(result, '5');
+ max_salt_len = 11; /* XXX: should not be fixed */
+ } else if (!strncmp (method, "SHA512", 6)) {
+ MAGNUM(result, '6');
+ max_salt_len = 11; /* XXX: should not be fixed */
+ } else if (!strncmp (method, "DES", 3))
+ result[0] = '\0';
+ else
+ result[0] = '\0';
}
-#endif
-
+#endif /* ENCRYPTMETHOD_SELECT */
+#endif /* USE_PAM */
/*
* Generate 8 chars of salt, the old crypt() will use only first 2.
*/
Modified: upstream/trunk/src/passwd.c
===================================================================
--- upstream/trunk/src/passwd.c 2007-11-19 20:33:39 UTC (rev 1408)
+++ upstream/trunk/src/passwd.c 2007-11-19 22:14:19 UTC (rev 1409)
@@ -190,7 +190,10 @@
char pass[200]; /* New password */
int i; /* Counter for retries */
int warned;
- int pass_max_len;
+ int pass_max_len = -1;
+#ifdef ENCRYPTMETHOD_SELECT
+ char *method;
+#endif
#ifdef HAVE_LIBCRACK_HIST
int HistUpdate (const char *, const char *);
@@ -228,16 +231,35 @@
* for strength, unless it is the root user. This provides an escape
* for initial login passwords.
*/
- if (getdef_bool ("MD5_CRYPT_ENAB"))
- pass_max_len = 127;
- else
- pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
+#ifdef ENCRYPTMETHOD_SELECT
+ if ((method = getdef_str ("ENCRYPT_METHOD")) == NULL) {
+#endif
+ if (!getdef_bool ("MD5_CRYPT_ENAB"))
+ pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
+#ifdef ENCRYPTMETHOD_SELECT
+ } else {
+ if (!strncmp (method, "MD5" , 3) ||
+ !strncmp (method, "SHA256", 6) ||
+ !strncmp (method, "SHA512", 6))
+ pass_max_len = -1;
+ else
+ pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
+ }
+#endif
+ if (!qflg) {
+ if (pass_max_len == -1) {
+ printf (_(
+"Enter the new password (minimum of %d characters)\n"
+"Please use a combination of upper and lower case letters and numbers.\n"),
+ getdef_num ("PASS_MIN_LEN", 5));
+ } else {
+ printf (_(
+"Enter the new password (minimum of %d, maximum of %d characters)\n"
+"Please use a combination of upper and lower case letters and numbers.\n"),
+ getdef_num ("PASS_MIN_LEN", 5), pass_max_len);
+ }
+ }
- if (!qflg)
- printf (_("\
-Enter the new password (minimum of %d, maximum of %d characters)\n\
-Please use a combination of upper and lower case letters and numbers.\n"), getdef_num ("PASS_MIN_LEN", 5), pass_max_len);
-
warned = 0;
for (i = getdef_num ("PASS_CHANGE_TRIES", 5); i > 0; i--) {
if (!(cp = getpass (_("New password: ")))) {
More information about the Pkg-shadow-commits
mailing list