Hi,
I find it very disturbing, that you need to manual maintain the used encryption hash in /etc/login.defs for shadow and as pam_unix.so argument. Since we have already two modules reading /etc/login.defs, I made a small change to pam_unix.so:
The default encryption hash is taken from /etc/login.defs and can be overwritten with the pam_unix.so argument. If there is no entry in /etc/login.defs and no argument DES is still the default.
So this change should be pretty backward compatible.
Any opinions? Most of the code is from the other PAM modules, maybe we should add the /etc/login.defs parsing functions to libpam itself sometimes.
2013-02-05 Thorsten Kukuk kukuk@thkukuk.de
Use hash from /etc/login.defs as default if no other one is specified as argument.
* modules/pam_unix/support.c: Add search_key, call from __set_ctrl * modules/pam_unix/support.h: Add define for /etc/login.defs * modules/pam_unix/pam_unix.8.xml: Document new behavior.
--- modules/pam_unix/support.c +++ modules/pam_unix/support.c @@ -37,6 +37,76 @@ #define SELINUX_ENABLED 0 #endif
+static char * +search_key (const char *filename) +{ + FILE *fp; + char *buf = NULL; + size_t buflen = 0; + char *retval = NULL; + + fp = fopen (filename, "r"); + if (NULL == fp) + return NULL; + + while (!feof (fp)) + { + char *tmp, *cp; +#if defined(HAVE_GETLINE) + ssize_t n = getline (&buf, &buflen, fp); +#elif defined (HAVE_GETDELIM) + ssize_t n = getdelim (&buf, &buflen, '\n', fp); +#else + ssize_t n; + + if (buf == NULL) + { + buflen = BUF_SIZE; + buf = malloc (buflen); + } + buf[0] = '\0'; + if (fgets (buf, buflen - 1, fp) == NULL) + break; + else if (buf != NULL) + n = strlen (buf); + else + n = 0; +#endif /* HAVE_GETLINE / HAVE_GETDELIM */ + cp = buf; + + if (n < 1) + break; + + tmp = strchr (cp, '#'); /* remove comments */ + if (tmp) + *tmp = '\0'; + while (isspace ((int)*cp)) /* remove spaces and tabs */ + ++cp; + if (*cp == '\0') /* ignore empty lines */ + continue; + + if (cp[strlen (cp) - 1] == '\n') + cp[strlen (cp) - 1] = '\0'; + + tmp = strsep (&cp, " \t="); + if (cp != NULL) + while (isspace ((int)*cp) || *cp == '=') + ++cp; + + if (strcasecmp (tmp, "ENCRYPT_METHOD") == 0) + { + retval = strdup (cp); + break; + } + } + fclose (fp); + + free (buf); + + return retval; +} + + /* this is a front-end for module-application conversations */
int _make_remark(pam_handle_t * pamh, unsigned int ctrl, @@ -58,6 +128,8 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, int *pass_min_len, int argc, const char **argv) { unsigned int ctrl; + char *val; + int j;
D(("called."));
@@ -81,10 +153,27 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, D(("SILENT")); set(UNIX__QUIET, ctrl); } + + /* preset encryption method with value from /etc/login.defs */ + val = search_key (LOGIN_DEFS); + if (val) { + for (j = 0; j < UNIX_CTRLS_; ++j) { + if (unix_args[j].token + && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { + break; + } + } + if (j >= UNIX_CTRLS_) { + pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPTION_METHOD value [%s]", val); + } else { + ctrl &= unix_args[j].mask; /* for turning things off */ + ctrl |= unix_args[j].flag; /* for turning things on */ + } + } + /* now parse the arguments to this module */
for (; argc-- > 0; ++argv) { - int j;
D(("pam_unix arg: %s", *argv));
--- modules/pam_unix/support.h +++ modules/pam_unix/support.h @@ -8,6 +8,12 @@ #include <pwd.h>
/* + * File to read value of ENCRYPT_METHOD from. + */ +#define LOGIN_DEFS "/etc/login.defs" + + +/* * here is the string to inform the user that the new passwords they * typed were not the same. */ --- modules/pam_unix/pam_unix.8.xml +++ modules/pam_unix/pam_unix.8.xml @@ -81,7 +81,9 @@
<para> The password component of this module performs the task of updating - the user's password. + the user's password. The default encryption hash is taken from the + <emphasis remap='B'>ENCYPTION_METHOD</emphasis> variable from + <emphasis>/etc/login.defs</emphasis> </para>
<para> @@ -393,6 +395,9 @@ session required pam_unix.so <title>SEE ALSO</title> <para> <citerefentry> + <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry>
On Tue, 2013-02-05 at 14:00 +0100, Thorsten Kukuk wrote:
Hi,
I find it very disturbing, that you need to manual maintain the used encryption hash in /etc/login.defs for shadow and as pam_unix.so argument. Since we have already two modules reading /etc/login.defs, I made a small change to pam_unix.so:
The default encryption hash is taken from /etc/login.defs and can be overwritten with the pam_unix.so argument. If there is no entry in /etc/login.defs and no argument DES is still the default.
So this change should be pretty backward compatible.
Any opinions? Most of the code is from the other PAM modules, maybe we should add the /etc/login.defs parsing functions to libpam itself sometimes.
This is great. I've always wanted to implement this but never got to it.
+ if (buf == NULL) + { + buflen = BUF_SIZE; + buf = malloc (buflen); + } + buf[0] = '\0'; There is possible NULL pointer dereference if malloc() fails.
+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPTION_METHOD value [%s]", val); The login.defs option is ENCRYPT_METHOD. You have the same typo in the pam_unix.8.xml.
You're also missing free(val); call in the _set_ctrl().
If you fix these it should be OK to commit.
On Tue, Feb 05, 2013 at 02:00:01PM +0100, Thorsten Kukuk wrote: [...]
@@ -81,10 +153,27 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, D(("SILENT")); set(UNIX__QUIET, ctrl); }
- /* preset encryption method with value from /etc/login.defs */
- val = search_key (LOGIN_DEFS);
- if (val) {
for (j = 0; j < UNIX_CTRLS_; ++j) {if (unix_args[j].token&& !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {break;}}if (j >= UNIX_CTRLS_) {pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPTION_METHOD value [%s]", val);} else {ctrl &= unix_args[j].mask; /* for turning things off */ctrl |= unix_args[j].flag; /* for turning things on */}- }
If I'm not mistaken, this code would allow such odd configurations as ENCRYPT_METHOD=use_first_pass which is probably not what one could expect from this feature.
On Wed, Feb 06, Dmitry V. Levin wrote:
If I'm not mistaken, this code would allow such odd configurations as ENCRYPT_METHOD=use_first_pass which is probably not what one could expect from this feature.
Correct, but it cannot make any damage, only root would be able to add it, and it would break the shadow tools.
I don't see this as a real problem and I wouldn't duplicate all the data only for this.
Thorsten
On Wed, 2013-02-06 at 13:35 +0100, Thorsten Kukuk wrote:
On Wed, Feb 06, Dmitry V. Levin wrote:
If I'm not mistaken, this code would allow such odd configurations as ENCRYPT_METHOD=use_first_pass which is probably not what one could expect from this feature.
Correct, but it cannot make any damage, only root would be able to add it, and it would break the shadow tools.
I don't see this as a real problem and I wouldn't duplicate all the data only for this.
I agree with Thorsten here. Although it could be possible to add additional member to the unix_args structure that would mark the options that are crypt() algorithms.
On Wed, Feb 06, 2013 at 07:45:43AM +0400, Dmitry V. Levin wrote:
On Tue, Feb 05, 2013 at 02:00:01PM +0100, Thorsten Kukuk wrote: [...]
@@ -81,10 +153,27 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, D(("SILENT")); set(UNIX__QUIET, ctrl); }
- /* preset encryption method with value from /etc/login.defs */
- val = search_key (LOGIN_DEFS);
- if (val) {
for (j = 0; j < UNIX_CTRLS_; ++j) {if (unix_args[j].token&& !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {break;}}if (j >= UNIX_CTRLS_) {pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPTION_METHOD value [%s]", val);} else {ctrl &= unix_args[j].mask; /* for turning things off */ctrl |= unix_args[j].flag; /* for turning things on */}- }
If I'm not mistaken, this code would allow such odd configurations as ENCRYPT_METHOD=use_first_pass which is probably not what one could expect from this feature.
Besides that it allows invalid configurations, it still doesn't support some valid ones, e.g. encryption related rounds= option would be silently ignored, and ENCRYPT_METHOD with such semantics wouldn't allow one to specify both password hashing method and its crucial option. Is it possible to introduce a /etc/login.defs parameter with more consistent semantics than this one?
On Wed, Feb 06, Dmitry V. Levin wrote:
Besides that it allows invalid configurations, it still doesn't support some valid ones, e.g. encryption related rounds= option would be silently ignored,
Why would rounds= options be silently ignored?
It's only a way to set the default consistent, for finetuning, none of the current options are removed, disabled, restricted, or whatever else.
Thorsten
On Wed, Feb 06, 2013 at 04:08:05PM +0100, Thorsten Kukuk wrote:
On Wed, Feb 06, Dmitry V. Levin wrote:
Besides that it allows invalid configurations, it still doesn't support some valid ones, e.g. encryption related rounds= option would be silently ignored,
Why would rounds= options be silently ignored?
When the option returned by search_key() has a value (like rounds= usually does), that value is silently ignored.
It's only a way to set the default consistent, for finetuning, none of the current options are removed, disabled, restricted, or whatever else.
If all this option can specify is the name of password hashing algorithm, then it would be only logical if it wouldn't try to accept anything besides that, and appropriate diagnostics would certainly help to diagnose a typo or any other kind of invalid usage.
And yes, it is a password hashing method rather than generic encrypt method, wouldn't it be better to call this new /etc/login.defs parameter, e.g. PASSWORD_HASHING_METHOD instead of ENCRYPT_METHOD?
Said all that, I'm not sure I'm the right person to discuss new pam_unix features because in Owl and ALT Linux pam_unix.so is a symlink to pam_tcb.so for a long time yet.
On Wed, 2013-02-06 at 19:42 +0400, Dmitry V. Levin wrote:
On Wed, Feb 06, 2013 at 04:08:05PM +0100, Thorsten Kukuk wrote:
On Wed, Feb 06, Dmitry V. Levin wrote:
Besides that it allows invalid configurations, it still doesn't support some valid ones, e.g. encryption related rounds= option would be silently ignored,
Why would rounds= options be silently ignored?
When the option returned by search_key() has a value (like rounds= usually does), that value is silently ignored.
It's only a way to set the default consistent, for finetuning, none of the current options are removed, disabled, restricted, or whatever else.
If all this option can specify is the name of password hashing algorithm, then it would be only logical if it wouldn't try to accept anything besides that, and appropriate diagnostics would certainly help to diagnose a typo or any other kind of invalid usage.
Yes, that is a valid argument.
And yes, it is a password hashing method rather than generic encrypt method, wouldn't it be better to call this new /etc/login.defs parameter, e.g. PASSWORD_HASHING_METHOD instead of ENCRYPT_METHOD?
ENCRYPT_METHOD is already established by shadow-utils. Changing it would be pointless.
Hi,
I haven't forgotten the patch ;) and now I have implemented a check, if the option in /etc/login.defs is a hash algo, additional I read now the rounds option for that algo from /etc/login.defs.
I hope this time the patch is now Ok?
Thorsten
Use hash from /etc/login.defs as default if no other one is specified as argument.
* modules/pam_unix/support.c: Add search_key, call from __set_ctrl * modules/pam_unix/support.h: Add define for /etc/login.defs * modules/pam_unix/pam_unix.8.xml: Document new behavior. * modules/pam_umask/pam_umask.c: Add missing NULL pointer check
diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c index 6d2ec1a..863f038 100644 --- a/modules/pam_umask/pam_umask.c +++ b/modules/pam_umask/pam_umask.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2006, 2007, 2010 Thorsten Kukuk kukuk@thkukuk.de + * Copyright (c) 2005, 2006, 2007, 2010, 2013 Thorsten Kukuk kukuk@thkukuk.de * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -112,6 +112,10 @@ search_key (const char *filename) { buflen = BUF_SIZE; buf = malloc (buflen); + if (buf == NULL) { + fclose (fp); + return NULL; + } } buf[0] = '\0'; if (fgets (buf, buflen - 1, fp) == NULL) diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml index 0a42d7a..9ce084e 100644 --- a/modules/pam_unix/pam_unix.8.xml +++ b/modules/pam_unix/pam_unix.8.xml @@ -81,7 +81,9 @@
<para> The password component of this module performs the task of updating - the user's password. + the user's password. The default encryption hash is taken from the + <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from + <emphasis>/etc/login.defs</emphasis> </para>
<para> @@ -393,6 +395,9 @@ session required pam_unix.so <title>SEE ALSO</title> <para> <citerefentry> + <refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index ab04535..f36786e 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -37,6 +37,80 @@ #define SELINUX_ENABLED 0 #endif
+static char * +search_key (const char *key, const char *filename) +{ + FILE *fp; + char *buf = NULL; + size_t buflen = 0; + char *retval = NULL; + + fp = fopen (filename, "r"); + if (NULL == fp) + return NULL; + + while (!feof (fp)) + { + char *tmp, *cp; +#if defined(HAVE_GETLINE) + ssize_t n = getline (&buf, &buflen, fp); +#elif defined (HAVE_GETDELIM) + ssize_t n = getdelim (&buf, &buflen, '\n', fp); +#else + ssize_t n; + + if (buf == NULL) + { + buflen = BUF_SIZE; + buf = malloc (buflen); + if (buf == NULL) { + fclose (fp); + return NULL; + } + } + buf[0] = '\0'; + if (fgets (buf, buflen - 1, fp) == NULL) + break; + else if (buf != NULL) + n = strlen (buf); + else + n = 0; +#endif /* HAVE_GETLINE / HAVE_GETDELIM */ + cp = buf; + + if (n < 1) + break; + + tmp = strchr (cp, '#'); /* remove comments */ + if (tmp) + *tmp = '\0'; + while (isspace ((int)*cp)) /* remove spaces and tabs */ + ++cp; + if (*cp == '\0') /* ignore empty lines */ + continue; + + if (cp[strlen (cp) - 1] == '\n') + cp[strlen (cp) - 1] = '\0'; + + tmp = strsep (&cp, " \t="); + if (cp != NULL) + while (isspace ((int)*cp) || *cp == '=') + ++cp; + + if (strcasecmp (tmp, key) == 0) + { + retval = strdup (cp); + break; + } + } + fclose (fp); + + free (buf); + + return retval; +} + + /* this is a front-end for module-application conversations */
int _make_remark(pam_handle_t * pamh, unsigned int ctrl, @@ -58,6 +132,8 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, int *pass_min_len, int argc, const char **argv) { unsigned int ctrl; + char *val; + int j;
D(("called."));
@@ -81,10 +157,38 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, D(("SILENT")); set(UNIX__QUIET, ctrl); } + + /* preset encryption method with value from /etc/login.defs */ + val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS); + if (val) { + for (j = 0; j < UNIX_CTRLS_; ++j) { + if (unix_args[j].token && unix_args[j].is_hash_algo + && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { + break; + } + } + if (j >= UNIX_CTRLS_) { + pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD value [%s]", val); + } else { + ctrl &= unix_args[j].mask; /* for turning things off */ + ctrl |= unix_args[j].flag; /* for turning things on */ + } + free (val); + + /* read number of rounds for crypt algo */ + if (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl)) { + val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); + + if (val) { + *rounds = strtol(val, NULL, 10); + free (val); + } + } + } + /* now parse the arguments to this module */
for (; argc-- > 0; ++argv) { - int j;
D(("pam_unix arg: %s", *argv));
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index db4cd95..6575938 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -8,6 +8,12 @@ #include <pwd.h>
/* + * File to read value of ENCRYPT_METHOD from. + */ +#define LOGIN_DEFS "/etc/login.defs" + + +/* * here is the string to inform the user that the new passwords they * typed were not the same. */ @@ -20,6 +26,7 @@ typedef struct { const char *token; unsigned int mask; /* shall assume 32 bits of flags */ unsigned int flag; + unsigned int is_hash_algo; } UNIX_Ctrls;
/* @@ -100,34 +107,34 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = /* symbol token name ctrl mask ctrl * * ----------------------- ------------------- --------------------- -------- */
-/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01}, -/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02}, -/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04}, -/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010}, -/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020}, -/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040}, -/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100}, -/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200}, -/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400}, -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000}, -/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000}, -/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000}, -/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000}, -/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000}, -/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0}, -/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000}, -/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000}, -/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000}, -/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000}, -/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000}, -/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000}, -/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000}, -/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000}, -/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000}, -/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000}, -/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000}, -/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000}, -/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000}, +/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0}, +/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0}, +/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0}, +/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0}, +/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0}, +/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0}, +/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0}, +/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, +/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, +/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, +/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, +/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, +/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, +/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1}, +/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0}, +/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0}, +/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0}, +/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0}, +/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1}, +/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0}, +/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0}, +/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0}, +/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0}, +/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1}, +/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1}, +/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, +/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, +/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, };
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
On Fri, Apr 12, Thorsten Kukuk wrote:
Hi,
I haven't forgotten the patch ;) and now I have implemented a check, if the option in /etc/login.defs is a hash algo, additional I read now the rounds option for that algo from /etc/login.defs.
I hope this time the patch is now Ok?
Has nobody any opinion about this?
If not, I will commit on the weekend.
On Fri, 2013-04-12 at 15:47 +0200, Thorsten Kukuk wrote:
Hi,
I haven't forgotten the patch ;) and now I have implemented a check, if the option in /etc/login.defs is a hash algo, additional I read now the rounds option for that algo from /etc/login.defs.
I hope this time the patch is now Ok?
It seems OK to me.
pam-developers@lists.fedorahosted.org
-
Dmitry V. Levin -
Thorsten Kukuk -
Tomas Mraz