FreeBSD Bugzilla – Attachment 137124 Details for
Bug 182518
[login.conf] Better Password Hashes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
file.shar
file.shar (text/plain), 4.25 KB, created by
A.J. Kehoe IV
on 2013-09-30 18:50:00 UTC
(
hide
)
Description:
file.shar
Filename:
MIME Type:
Creator:
A.J. Kehoe IV
Created:
2013-09-30 18:50:00 UTC
Size:
4.25 KB
patch
obsolete
># This is a shell archive. Save it in a file, remove anything before ># this line, and then unpack it by entering "sh file". Note, it may ># create directories; files and directories will be owned by you and ># have default permissions. ># ># This archive contains: ># ># login.conf.5.patch ># login.conf.patch ># pam_unix.c.patch ># >echo x - login.conf.5.patch >sed 's/^X//' >login.conf.5.patch << 'd004b1f1103394d3b7210e3d0b27e4cf' >X--- /usr/src/lib/libutil/login.conf.5.orig 2013-09-30 10:15:58.000000000 -0400 >X+++ /usr/src/lib/libutil/login.conf.5 2013-09-30 10:16:20.000000000 -0400 >X@@ -275,7 +275,15 @@ >X NIS clients using a >X .No non- Ns Fx >X NIS server should probably use "des". >X-.It "passwd_prompt string The password prompt presented by" >X+.It "passwd_modular string $02$08$ The encryption format that new or" >X+changed passwords will use, based on the >X+.Xr crypt 3 >X+magic constants. Overrides passwd_format when set. Valid values include "disabled" to fall back to passwd_format, $02$08$ would be blf with work factor 8, or $6$rounds=5000$ would be sha512 with 5000 rounds, will accept any of the magic salt values from >X+.Xr crypt 3 >X+Be aware that setting this to an invalid crypt magic will likely fall back to des. Appending text to after the salt magic, (e.g. $02$08$dontdothis) will weaken the salt. Please refer to >X+.Xr crypt 3 >X+for proper syntax and useage. >X+.It "passwd_prompt string The password prompt presented by >X .Xr login 1 >X .It "times.allow list List of time periods during which" >X logins are allowed. >d004b1f1103394d3b7210e3d0b27e4cf >echo x - login.conf.patch >sed 's/^X//' >login.conf.patch << '91dbd97499532c598f33fd04820120bd' >X--- /etc/login.conf.orig 2013-09-30 10:18:16.000000000 -0400 >X+++ /etc/login.conf 2013-09-30 10:18:38.000000000 -0400 >X@@ -24,6 +24,7 @@ >X >X default:\ >X :passwd_format=sha512:\ >X+ :passwd_modular=$2a$08$:\ >X :copyright=/etc/COPYRIGHT:\ >X :welcome=/etc/motd:\ >X :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ >91dbd97499532c598f33fd04820120bd >echo x - pam_unix.c.patch >sed 's/^X//' >pam_unix.c.patch << '9833db6189445b1dfe20e210ed2256ff' >X--- /usr/src/lib/libpam/modules/pam_unix/pam_unix.c.orig 2013-09-30 10:16:06.000000000 -0400 >X+++ /usr/src/lib/libpam/modules/pam_unix/pam_unix.c 2013-09-30 10:16:35.000000000 -0400 >X@@ -68,8 +68,9 @@ >X #include <security/pam_mod_misc.h> >X >X #define PASSWORD_HASH "md5" >X+#define NOMODULAR "disabled" >X #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ >X-#define SALTSIZE 32 >X+#define SALTSIZE 64 >X >X #define LOCKED_PREFIX "*LOCKED*" >X #define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1) >X@@ -77,6 +78,7 @@ >X static void makesalt(char []); >X >X static char password_hash[] = PASSWORD_HASH; >X+static char password_nomodular[] = NOMODULAR; >X >X #define PAM_OPT_LOCAL_PASS "local_pass" >X #define PAM_OPT_NIS_PASS "nis_pass" >X@@ -272,7 +274,7 @@ >X char salt[SALTSIZE + 1]; >X login_cap_t *lc; >X struct passwd *pwd, *old_pwd; >X- const char *user, *old_pass, *new_pass; >X+ const char *user, *old_pass, *new_pass, *modular_salt; >X char *encrypted; >X time_t passwordtime; >X int pfd, tfd, retval; >X@@ -378,9 +380,16 @@ >X return (PAM_BUF_ERR); >X >X lc = login_getclass(pwd->pw_class); >X+ >X+ memset(salt, 0, sizeof(salt)); >X+ modular_salt = login_getcapstr(lc, "passwd_modular", password_nomodular, NULL); >X+ if (strcmp(modular_salt, password_nomodular) == 0) { >X if (login_setcryptfmt(lc, password_hash, NULL) == NULL) >X openpam_log(PAM_LOG_ERROR, >X "can't set password cipher, relying on default"); >X+ } else { >X+ strncpy(salt, modular_salt, sizeof(salt) - 1); >X+ } >X >X /* set password expiry date */ >X pwd->pw_change = 0; >X@@ -464,13 +473,25 @@ >X makesalt(char salt[SALTSIZE + 1]) >X { >X int i; >X+ int remainder; >X+ >X+ /* If a salt magic has already been set, skip to the free area */ >X+ for (i = 0; i < SALTSIZE; i++) { >X+ if (salt[i] == '\0') { >X+ break; >X+ } >X+ } >X >X /* These are not really random numbers, they are just >X * numbers that change to thwart construction of a >X * dictionary. >X */ >X- for (i = 0; i < SALTSIZE; i += 4) >X- to64(&salt[i], arc4random(), 4); >X+ while (i < SALTSIZE) { >X+ remainder = SALTSIZE - i; >X+ to64(&salt[i], arc4random(), (remainder < 4 ? remainder : 4) ); >X+ i += 4; >X+ } >X+ >X salt[SALTSIZE] = '\0'; >X } >X >9833db6189445b1dfe20e210ed2256ff >exit
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=137124">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 182518
: 137124 |
152839
|
154251
|
154265
|
173187
|
173188