Hello, Here is the patch I would like to get accepted: debian/patches/300_SHA_crypt_method | 36 + debian/patches/301_manpages_missing_options | 197 ++++++++++ shadow-4.1.1/debian/changelog | 26 + shadow-4.1.1/debian/login.defs | 36 + shadow-4.1.1/debian/patches/008_su_get_PAM_username | 23 - shadow-4.1.1/debian/patches/406_vipw_resume_properly | 2 shadow-4.1.1/debian/patches/414_remove-unwise-advices | 10 shadow-4.1.1/debian/patches/434_login_stop_checking_args_after-- | 4 shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message | 2 shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection | 2 shadow-4.1.1/debian/patches/series | 2 11 files changed, 325 insertions(+), 15 deletions(-)
Compared to my previous mail, I added some comments in /etc/login.defs. 300_SHA_crypt_method is the only code change. Other changes are documentation. Can I upload it? The full diff is attached. Thanks in advance, -- Nekral
diff -u shadow-4.1.1/debian/login.defs shadow-4.1.1/debian/login.defs --- shadow-4.1.1/debian/login.defs +++ shadow-4.1.1/debian/login.defs @@ -176,12 +176,18 @@ # UID_MIN 1000 UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 # # Min/max values for automatic gid selection in groupadd # GID_MIN 100 GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 # # Max number of login retries if password is bad. This will most likely be @@ -266,8 +272,38 @@ # # This variable is used by chpasswd, gpasswd and newusers. # +# This variable is deprecated. You should use ENCRYPT_METHOD. +# #MD5_CRYPT_ENAB no +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + ################# OBSOLETED BY PAM ############## # # # These options are now handled by PAM. Please # diff -u shadow-4.1.1/debian/changelog shadow-4.1.1/debian/changelog --- shadow-4.1.1/debian/changelog +++ shadow-4.1.1/debian/changelog @@ -1,3 +1,29 @@ +shadow (1:4.1.1-2) UNRELEASED; urgency=low + + * The "Brie de Meaux" and "Brie de Melun" double cheese release. + * Backported patches from upstream + - debian/patches/300_SHA_crypt_method: + This fixes bugs in the SHA encryption method that force the salt to have + 8 bytes (instead of a random length between 8 and 16 bytes), and force + the number of SHA rounds to be equal to the lowest limit (at least 1000 + SHA rounds). + - debian/patches/301_manpages_missing_options: + This add the missing documentation of options in useradd, groupadd, and + newusers. + * Tag patches already applied upstream + - debian/patches/487_passwd_chauthtok_failed_message + - debian/patches/406_vipw_resume_properly + - debian/patches/008_su_get_PAM_username + - debian/patches/491_configure.in_friendly_selinux_detection + - debian/patches/434_login_stop_checking_args_after-- + - debian/patches/414_remove-unwise-advices + * Added description of new variables in /etc/login.defs: + - SYS_UID_MIN, SYS_UID_MAX, SYS_GID_MIN, SYS_GID_MAX + - ENCRYPT_METHOD + - SHA_CRYPT_MIN_ROUNDS, SHA_CRYPT_MAX_ROUNDS + + -- Nicolas FRANCOIS (Nekral) <[EMAIL PROTECTED]> Wed, 21 May 2008 22:13:49 +0200 + shadow (1:4.1.1-1) unstable; urgency=low * New upstream release. This closes the following bugs: diff -u shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message --- shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message +++ shadow-4.1.1/debian/patches/487_passwd_chauthtok_failed_message @@ -4,7 +4,7 @@ Fixes: #352137 -Status wrt upstream: not forwarded yet +Status wrt upstream: Applied upstream. Index: shadow-4.1.0/libmisc/pam_pass.c =================================================================== diff -u shadow-4.1.1/debian/patches/series shadow-4.1.1/debian/patches/series --- shadow-4.1.1/debian/patches/series +++ shadow-4.1.1/debian/patches/series @@ -30,0 +31,2 @@ +300_SHA_crypt_method +301_manpages_missing_options diff -u shadow-4.1.1/debian/patches/406_vipw_resume_properly shadow-4.1.1/debian/patches/406_vipw_resume_properly --- shadow-4.1.1/debian/patches/406_vipw_resume_properly +++ shadow-4.1.1/debian/patches/406_vipw_resume_properly @@ -4,7 +4,7 @@ Author: dean gaudet <[EMAIL PROTECTED]> -Status wrt upstream: should be forwarded +Status wrt upstream: Fixed upstream Index: shadow-4.1.0/src/vipw.c =================================================================== diff -u shadow-4.1.1/debian/patches/008_su_get_PAM_username shadow-4.1.1/debian/patches/008_su_get_PAM_username --- shadow-4.1.1/debian/patches/008_su_get_PAM_username +++ shadow-4.1.1/debian/patches/008_su_get_PAM_username @@ -1,9 +1,22 @@ -Goal: ??? +Goal: Retrieve the PAM username in case a module changed the PAM_USER + item. -Notes: - * It still needs more investigation. - I don't know what this patch is used for. IMO, the user name is - already known before calling pam_get_item(pamh, PAM_USER, ...) +According to Linux-PAM_ADG: + * Note, modules can change the values of PAM_USER and PAM_RUSER during + any of the pam_*() library calls. For this reason, the application + should take care to use the pam_get_item() every time it wishes to + establish who the authenticated user is (or will currently be). + +PAM_USER description: + + The username of the entity under whose identity service will be given. That + is, following authentication, PAM_USER identifies the local entity that + gets to use the service. Note, this value can be mapped from something + (eg., "anonymous") to something else (eg. "guest119") by any module in the + PAM stack. As such an application should consult the value of PAM_USER + after each call to a PAM function. + +See also: https://www.redhat.com/archives/pam-list/2008-May/msg00009.html Index: shadow-4.1.0/src/su.c =================================================================== diff -u shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection --- shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection +++ shadow-4.1.1/debian/patches/491_configure.in_friendly_selinux_detection @@ -5,7 +5,7 @@ Author: Mike Frysinger <[EMAIL PROTECTED]> -Status wrt upstream: reported by Mike, not applied yet +Status wrt upstream: Fixed upstream. Index: shadow-4.1.0/configure.in =================================================================== diff -u shadow-4.1.1/debian/patches/434_login_stop_checking_args_after-- shadow-4.1.1/debian/patches/434_login_stop_checking_args_after-- --- shadow-4.1.1/debian/patches/434_login_stop_checking_args_after-- +++ shadow-4.1.1/debian/patches/434_login_stop_checking_args_after-- @@ -1,9 +1,7 @@ Goal: terminate argument validation in login when it hits a '--'. Fixes: #66368 -Status wrt upstream: It could certainly be submitted to upstream. - Upstream comment: "Better will be rewrite login - for use getopt_long()." +Status wrt upstream: Applied upstream. Index: shadow-4.1.0/src/login.c =================================================================== diff -u shadow-4.1.1/debian/patches/414_remove-unwise-advices shadow-4.1.1/debian/patches/414_remove-unwise-advices --- shadow-4.1.1/debian/patches/414_remove-unwise-advices +++ shadow-4.1.1/debian/patches/414_remove-unwise-advices @@ -1,7 +1,7 @@ Goal: Remove quite unwise password choice advices in passwd manpage Fixes: #386818 -Status wrt upstream: Forwarded without patch but ignored up to now +Status wrt upstream: Applied upstream Note: @@ -9,14 +9,16 @@ =================================================================== --- shadow-4.1.0.orig/man/passwd.1.xml +++ shadow-4.1.0/man/passwd.1.xml -@@ -114,35 +114,9 @@ +@@ -113,36 +113,10 @@ + </para> <para> - Your password must be easily remembered so that you will not be forced +- Your password must be easily remembered so that you will not be forced - to write it on a piece of paper. This can be accomplished by - appending two small words together and separating each with a - special character or digit. For example, Pass%word. -+ to write it on a piece of paper. ++ You can find advices on how to choose a strong password on ++ http://en.wikipedia.org/wiki/Password_strength </para> - <para> only in patch2: unchanged: --- shadow-4.1.1.orig/debian/patches/300_SHA_crypt_method +++ shadow-4.1.1/debian/patches/300_SHA_crypt_method @@ -0,0 +1,36 @@ +Goal: Fix bugs in the SHA encryption method that force the salt to have 8 + bytes (instead of a random length between 8 and 16 bytes), and force + the number of SHA rounds to be equal to the lowest limit (at least + 1000 SHA rounds). + +Status wrt upstream: Already applied upstream. + +Index: shadow-4.1.1/libmisc/salt.c +=================================================================== +--- shadow-4.1.1.orig/libmisc/salt.c 2008-02-03 18:23:31.000000000 +0100 ++++ shadow-4.1.1/libmisc/salt.c 2008-05-21 22:24:32.734281067 +0200 +@@ -90,9 +90,10 @@ + */ + static unsigned int SHA_salt_size (void) + { +- double rand_rounds = 9 * random (); +- rand_rounds /= RAND_MAX; +- return 8 + rand_rounds; ++ double rand_size; ++ seedRNG (); ++ rand_size = (double) 9.0 * random () / RAND_MAX; ++ return 8 + rand_size; + } + + /* ! Arguments evaluated twice ! */ +@@ -131,8 +132,8 @@ + if (min_rounds > max_rounds) + max_rounds = min_rounds; + +- srand (time (NULL)); +- rand_rounds = (max_rounds-min_rounds+1) * random (); ++ seedRNG (); ++ rand_rounds = (double) (max_rounds-min_rounds+1.0) * random (); + rand_rounds /= RAND_MAX; + rounds = min_rounds + rand_rounds; + } else if (0 == *prefered_rounds) only in patch2: unchanged: --- shadow-4.1.1.orig/debian/patches/301_manpages_missing_options +++ shadow-4.1.1/debian/patches/301_manpages_missing_options @@ -0,0 +1,197 @@ +Goal: Add missing documentation of options in useradd, groupadd and + newusers + +Status wrt upstream: Already applied. + +Index: shadow-4.1.1/man/useradd.8.xml +=================================================================== +--- shadow-4.1.1.orig/man/useradd.8.xml 2008-05-21 22:44:47.654281023 +0200 ++++ shadow-4.1.1/man/useradd.8.xml 2008-05-21 23:04:47.679903645 +0200 +@@ -189,23 +189,25 @@ + </varlistentry> + <varlistentry> + <term> +- <option>-m</option>, <option>--create-home</option> ++ <option>-k</option>, <option>--skel</option> ++ <replaceable>SKEL_DIR</replaceable> + </term> + <listitem> + <para> +- The user's home directory will be created if it does not exist. +- The files contained in <replaceable>SKEL_DIR</replaceable> will +- be copied to the home directory if the <option>-k</option> +- option is used, otherwise the files contained in +- <filename>/etc/skel</filename> will be used instead. Any +- directories contained in <replaceable>SKEL_DIR</replaceable> or +- <filename>/etc/skel</filename> will be created in the user's +- home directory as well. The <option>-k</option> option is only +- valid in conjunction with the <option>-m</option> option. The +- default is to not create the directory and to not copy any +- files. +- This option may not function correctly if the username has a / in it. ++ The skeleton directory, which contains files and directories ++ to be copied in the user's home directory, when the home ++ directory is created by <command>useradd</command>. ++ </para> ++ <para> ++ This option is only valid if the <option>-m</option> (or ++ <option>--create-home</option>) option is specified. + </para> ++ <para> ++ If this option is not set, the skeleton directory is defined ++ in <filename>/etc/default/useradd</filename> or, by default, ++ <filename>/etc/skel</filename>. ++ </para> ++ <para>This option may not function correctly if the username has a / in it.</para> + </listitem> + </varlistentry> + <varlistentry> +@@ -255,6 +257,22 @@ + </varlistentry> + <varlistentry> + <term> ++ <option>-m</option>, <option>--create-home</option> ++ </term> ++ <listitem> ++ <para> ++ Create the user's home directory if it does not exist. ++ The files and directories contained in the skeleton directory ++ (which can be defined with the <option>-k</option> option) ++ will be copied to the home directory. ++ </para> ++ <para> ++ By default, no home directories are created. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> + <option>-N</option>, <option>--no-user-group</option> + </term> + <listitem> +@@ -295,6 +313,25 @@ + </varlistentry> + <varlistentry> + <term> ++ <option>-r</option>, <option>--system</option> ++ </term> ++ <listitem> ++ <para> ++ Create a system account. ++ </para> ++ <para> ++ System users will be created with no aging information in ++ <filename>/etc/shadow</filename>, and their numeric ++ identifiers are choosen in the ++ <option>SYS_UID_MIN</option>-<option>SYS_UID_MAX</option> ++ range, defined in <filename>login.defs</filename>, instead of ++ <option>UID_MIN</option>-<option>UID_MAX</option> (and their ++ <option>GID</option> counterparts for the creation of groups). ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> + <option>-s</option>, <option>--shell</option> + <replaceable>SHELL</replaceable> + </term> +Index: shadow-4.1.1/man/groupadd.8.xml +=================================================================== +--- shadow-4.1.1.orig/man/groupadd.8.xml 2008-02-25 22:14:56.000000000 +0100 ++++ shadow-4.1.1/man/groupadd.8.xml 2008-05-21 22:44:47.702280863 +0200 +@@ -126,6 +126,22 @@ + </para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term> ++ <option>-r</option>, <option>--system</option> ++ </term> ++ <listitem> ++ <para> ++ Create a system group. ++ </para> ++ <para> ++ The numeric identifiers of new system groups are choosen in ++ the <option>SYS_GID_MIN</option>-<option>SYS_GID_MAX</option> ++ range, defined in <filename>login.defs</filename>, instead of ++ <option>GID_MIN</option>-<option>GID_MAX</option>. ++ </para> ++ </listitem> ++ </varlistentry> + </variablelist> + </refsect1> + +Index: shadow-4.1.1/man/newusers.8.xml +=================================================================== +--- shadow-4.1.1.orig/man/newusers.8.xml 2008-02-25 22:14:56.000000000 +0100 ++++ shadow-4.1.1/man/newusers.8.xml 2008-05-21 22:44:47.702280863 +0200 +@@ -94,6 +94,68 @@ + </para> + </refsect1> + ++ <refsect1 id='options'> ++ <title>OPTIONS</title> ++ <para>The options which apply to the <command>newusers</command> command are: ++ </para> ++ <variablelist remap='IP'> ++ <varlistentry> ++ <term><option>-c</option>, <option>--crypt-method</option></term> ++ <listitem> ++ <para>Use the specified method to encrypt the passwords.</para> ++ <para> ++ The available methods are DES, MD5, NONE, and SHA256 or SHA512 ++ if your libc support these methods. ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry> ++ <term> ++ <option>-r</option>, <option>--system</option> ++ </term> ++ <listitem> ++ <para> ++ Create a system account. ++ </para> ++ <para> ++ System users will be created with no aging information in ++ <filename>/etc/shadow</filename>, and their numeric ++ identifiers are choosen in the ++ <option>SYS_UID_MIN</option>-<option>SYS_UID_MAX</option> ++ range, defined in <filename>login.defs</filename>, instead of ++ <option>UID_MIN</option>-<option>UID_MAX</option> (and their ++ <option>GID</option> counterparts for the creation of groups). ++ </para> ++ </listitem> ++ </varlistentry> ++ <varlistentry condition="sha_crypt"> ++ <term><option>-s</option>, <option>--sha-rounds</option></term> ++ <listitem> ++ <para> ++ Use the specified number of rounds to encrypt the passwords. ++ </para> ++ <para> ++ The value 0 means that the system will choose the default ++ number of rounds for the crypt method (5000). ++ </para> ++ <para> ++ A minimal value of 1000 and a maximal value of 999,999,999 ++ will be enforced. ++ </para> ++ <para> ++ You can only use this option with the SHA256 or SHA512 ++ crypt method. ++ </para> ++ <para> ++ By default, the number of rounds is defined by the ++ SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in ++ <filename>/etc/login.defs</filename>. ++ </para> ++ </listitem> ++ </varlistentry> ++ </variablelist> ++ </refsect1> ++ + <refsect1 id='caveats'> + <title>CAVEATS</title> + <para>
