Submitted By: Bradley Worley <geekysuavo at gmail dot com>
Date: 2005-10-24
Initial Package Version: 4.0.13
Upstream Status: Not submitted
Origin: http://www.linuxfromscratch.org/patches/downloads/shadow/\
shadow-4.0.7-crypt_blowfish-1.patch
Description: Adds blowfish passwords to shadow. This depends on a blowfish
library. See:
http://www.openwall.com/crypt/
or
http://ftp.suse.com/pub/people/kukuk/pam/libxcrypt/
If you use libxcrypt you need to do:
sed -e 's/lcrypt/lxcrypt/g' -i configure
There's a hint for this patch here:
http://www.linuxfromscratch.org/hints/downloads/files/blowfish-passwords.txt
diff -c -r shadow-4.0.13/config.h.in shadow-4.0.13-1/config.h.in
*** shadow-4.0.13/config.h.in 2005-10-04 12:02:57.000000000 -0500
--- shadow-4.0.13-1/config.h.in 2005-10-24 19:00:23.000000000 -0500
***************
*** 7,12 ****
--- 7,15 ----
/* Path for faillog file. */
#undef FAILLOG_FILE
+ /* Defined if you have crypt blowfish. */
+ #undef HAVE_CRYPT_GENSALT
+
/* Define to the type of elements in the array set by `getgroups'. Usually
this is either `int' or `gid_t'. */
#undef GETGROUPS_T
***************
*** 299,304 ****
--- 302,310 ----
/* Path to passwd program. */
#undef PASSWD_PROGRAM
+ /* Where is /dev/urandom or a /dev/urandom-alike. */
+ #undef RANDOM_FILE
+
/* Define to 1 if the C compiler supports function prototypes. */
#undef PROTOTYPES
diff -c -r shadow-4.0.13/configure shadow-4.0.13-1/configure
*** shadow-4.0.13/configure 2005-09-28 07:46:31.000000000 -0500
--- shadow-4.0.13-1/configure 2005-10-24 19:21:05.000000000 -0500
***************
*** 462,468 ****
# include <unistd.h>
#endif"
! ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME
PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix
program_transform_name bindir sbindir libexecdir datadir sysconfdir
sharedstatedir localstatedir libdir includedir oldincludedir infodir
mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T
LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE
VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP
ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot
AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE
MAINT CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR
am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE
am__fastdepCC_TRUE am__fastdepCC_FALSE LN_S YACC CPP EGREP U ANSI2KNR
build build_cpu build_vendor build_os host host_cpu host_vendor
host_os ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CXX CXXFLAGS ac_ct_CXX
CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CXXCPP F77 FFLAGS
ac_ct_F77 LIBTOOL LIBOBJS XSLTPROC XML_CATALOG_FILE XMLCATALOG
ENABLE_REGENERATE_MAN_TRUE ENABLE_REGENERATE_MAN_FALSE LIBCRYPT
LIBAUDIT LIBCRACK LIBSELINUX LIBPAM LIBSKEY LIBMD MKINSTALLDIRS
USE_NLS MSGFMT GMSGFMT XGETTEXT MSGMERGE INTL_MACOSX_LIBS LIBICONV
LTLIBICONV INTLLIBS LIBINTL LTLIBINTL POSUB LTLIBOBJS'
ac_subst_files=''
# Initialize some variables set by options.
--- 462,468 ----
# include <unistd.h>
#endif"
! ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME
PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix
program_transform_name bindir sbindir libexecdir datadir sysconfdir
sharedstatedir localstatedir libdir includedir oldincludedir infodir
mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T
LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE
VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP
ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot
AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE
MAINT CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR
am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE
am__fastdepCC_TRUE am__fastdepCC_FALSE LN_S YACC CPP EGREP U ANSI2KNR
build build_cpu build_vendor build_os host host_cpu host_vendor
host_os ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CXX CXXFLAGS ac_ct_CXX
CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CXXCPP F77 FFLAGS
ac_ct_F77 LIBTOOL LIBOBJS RANDOM_FILE LIBCRYPT LIBCRACK LIBSKEY LIBMD
LIBSELINUX LIBPAM MKINSTALLDIRS USE_NLS MSGFMT GMSGFMT XGETTEXT
MSGMERGE LIBICONV LTLIBICONV INTLLIBS LIBINTL LTLIBINTL POSUB
LTLIBOBJS'
ac_subst_files=''
# Initialize some variables set by options.
***************
*** 1052,1057 ****
--- 1052,1058 ----
--with-libpam use libpam for PAM support [default=yes if
found]
--with-selinux use SELinux support [default=autodetect]
+ --with-random=FILE read randomness from FILE (default=/dev/urandom)
--with-skey use S/Key support [default=no]
--with-libcrack use libcrack [default=yes if found and if PAM not
enabled]
***************
*** 4521,4527 ****
;;
*-*-irix6*)
# Find out which ABI we are using.
! echo '#line 4524 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
--- 4522,4528 ----
;;
*-*-irix6*)
# Find out which ABI we are using.
! echo '#line 4514 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
***************
*** 5627,5633 ****
# Provide some information about the compiler.
! echo "$as_me:5630:" \
"checking for Fortran 77 compiler version" >&5
ac_compiler=`set X $ac_compile; echo $2`
{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
--- 5628,5634 ----
# Provide some information about the compiler.
! echo "$as_me:5631:" \
"checking for Fortran 77 compiler version" >&5
ac_compiler=`set X $ac_compile; echo $2`
{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
***************
*** 23303,23308 ****
--- 23304,23350 ----
with_libcrack=no
fi;
+ # Check whether --with-random or --without-random was given.
+ if test "${with_random+set}" = set; then
+ withval="$with_random"
+ RANDOM_FILE="$withval"
+ else
+
+ echo "$as_me:$LINENO: checking for \"/dev/urandom\"" >&5
+ echo $ECHO_N "checking for \"/dev/urandom\"... $ECHO_C" >&6
+ if test "${ac_cv_file___dev_urandom_+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+ else
+ test "$cross_compiling" = yes &&
+ { { echo "$as_me:$LINENO: error: cannot check for file existence
when cross compiling" >&5
+ echo "$as_me: error: cannot check for file existence when cross
compiling" >&2;}
+ { (exit 1); exit 1; }; }
+ if test -r ""/dev/urandom""; then
+ ac_cv_file___dev_urandom_=yes
+ else
+ ac_cv_file___dev_urandom_=no
+ fi
+ fi
+ echo "$as_me:$LINENO: result: $ac_cv_file___dev_urandom_" >&5
+ echo "${ECHO_T}$ac_cv_file___dev_urandom_" >&6
+ if test $ac_cv_file___dev_urandom_ = yes; then
+
+ RANDOM_FILE="/dev/urandom";
+
+
+ fi
+
+
+
+ fi;
+ if test -n "$RANDOM_FILE" ; then
+
+ cat >>confdefs.h <<_ACEOF
+ #define RANDOM_FILE "$RANDOM_FILE"
+ _ACEOF
+
+ fi
+
echo "$as_me:$LINENO: checking for library containing inet_ntoa" >&5
echo $ECHO_N "checking for library containing inet_ntoa... $ECHO_C" >&6
***************
*** 23929,23934 ****
--- 23971,24046 ----
{ (exit 1); exit 1; }; }
fi
+ echo "$as_me:$LINENO: checking for crypt_gensalt in -lcrypt" >&5
+ echo $ECHO_N "checking for crypt_gensalt in -lcrypt... $ECHO_C" >&6
+ if test "${ac_cv_lib_crypt_crypt_gensalt+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+ else
+ ac_check_lib_save_LIBS=$LIBS
+ LIBS="-lcrypt $LIBS"
+ cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+ _ACEOF
+ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h. */
+
+ /* Override any gcc2 internal prototype to avoid an error. */
+ #ifdef __cplusplus
+ extern "C"
+ #endif
+ /* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+ char crypt_gensalt ();
+ int
+ main ()
+ {
+ crypt_gensalt ();
+ ;
+ return 0;
+ }
+ _ACEOF
+ rm -f conftest.$ac_objext conftest$ac_exeext
+ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+ (eval $ac_link) 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -z "$ac_c_werror_flag"
+ || test ! -s conftest.err'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_lib_crypt_crypt_gensalt=yes
+ else
+ echo "$as_me: failed program was:" >&5
+ sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lib_crypt_crypt_gensalt=no
+ fi
+ rm -f conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LIBS=$ac_check_lib_save_LIBS
+ fi
+ echo "$as_me:$LINENO: result: $ac_cv_lib_crypt_crypt_gensalt" >&5
+ echo "${ECHO_T}$ac_cv_lib_crypt_crypt_gensalt" >&6
+ if test $ac_cv_lib_crypt_crypt_gensalt = yes; then
+ cat >>confdefs.h <<\_ACEOF
+ #define HAVE_CRYPT_GENSALT 1
+ _ACEOF
+
+ fi
if test "$with_audit" = "yes"; then
***************
*** 27568,27573 ****
--- 27680,27686 ----
s,@ac_ct_F77@,$ac_ct_F77,;t t
s,@LIBTOOL@,$LIBTOOL,;t t
s,@LIBOBJS@,$LIBOBJS,;t t
+ s,@RANDOM_FILE@,$RANDOM_FILE,;t t
s,@XSLTPROC@,$XSLTPROC,;t t
s,@XML_CATALOG_FILE@,$XML_CATALOG_FILE,;t t
s,@XMLCATALOG@,$XMLCATALOG,;t t
diff -c -r shadow-4.0.13/etc/login.defs shadow-4.0.13-1/etc/login.defs
*** shadow-4.0.13/etc/login.defs 2005-09-01 14:57:45.000000000 -0500
--- shadow-4.0.13-1/etc/login.defs 2005-10-24 19:25:44.000000000 -0500
***************
*** 242,254 ****
PASS_ALWAYS_WARN yes
#
- # Number of significant characters in the password for crypt().
- # Default is 8, don't change unless your crypt() is better.
- # Ignored if MD5_CRYPT_ENAB set to "yes".
- #
- #PASS_MAX_LEN 8
-
- #
# Require password before chfn/chsh can make any changes.
#
CHFN_AUTH yes
--- 242,247 ----
***************
*** 268,282 ****
# to use the default which is just "Password: ".
#LOGIN_STRING "%s's Password: "
#
! # Only works if compiled with MD5_CRYPT defined:
! # If set to "yes", new passwords will be encrypted using the MD5-based
! # algorithm compatible with the one used by recent releases of FreeBSD.
! # It supports passwords of unlimited length and longer salt strings.
! # Set to "no" if you need to copy encrypted passwords to other systems
! # which don't understand the new algorithm. Default is "no".
#
! #MD5_CRYPT_ENAB no
#
# List of groups to add to the user's supplementary group set
--- 261,321 ----
# to use the default which is just "Password: ".
#LOGIN_STRING "%s's Password: "
+ # Each password entry contains a prefix that specifies the hashing algorithm
+ # used to create the remaining characters/bytes. Use this setting to specify
+ # which hashing algorithm is used to create new passwords.
+ #
+ # The default here is to use the Blowfish-based algorithm, (which currently
+ # requires you to be running a patched version of glibc). To use the slightly
+ # more compatible MD5-based algorithm, you would set this to $1$. To be
+ # completely backwards compatible and use the traditional DES-based hashing,
+ # you should set this value to an empty string, but be warned, passwords using
+ # this algorithm offer very little security.
+ #
+ CRYPT_PREFIX "$2a$"
+
+ # For hashing algorithms that can alter their complexity, use this setting to
+ # achieve a balance between the security of the password and
performance on the
+ # host system.
+ #
+ # This value is interpreted by each algorithm in specific ways. With the
+ # Blowfish algorithm, it specifies the number of rounds as a base-2 logarithm
+ # of the actual iteration count, so 12 actually refers to 2^12. Altering the
+ # value to 11 would therefore halve the number of iterations used to 2^11.
+ #
+ # Make sure that if you alter the above setting, this setting is also
+ # appropriate. For algorithms that have fixed iteration counts, or to
+ # enforce the use of a low default value, use a setting of 0.
+ #
+ CRYPT_ROUNDS 12
+
+ #
+ # All algorithms require varying amounts of random bytes known as salt. For
+ # example the DES-based algorithm requires only 12-bits, (1½ bytes), whereas
+ # the Blowfish-based algorithm requires 128-bits, (16 bytes).
+ #
+ # If an algorithm doesn't receive enough salt, more will be collected from
+ # /dev/urandom, a byte at a time until it's satisfied. If you know how much
+ # is enough to satisfy even the most hungry of algorithms locally available,
+ # setting it here will speed up the generation of passwords.
+ #
+ # A maximum is also provided to enforce an upper limit on this to prevent a
+ # wayward algorithm munching all the randomness unnecessarily.
+ #
+ CRYPT_MINSALT 16
+ CRYPT_MAXSALT 32
+
+ #
+ # Number of significant characters in the password for crypt(). MD5 can
+ # effectively cope with unlimited length passwords, but a limit of ~127 is
+ # reasonable. Blowfish can handle up to 72 characters, and the DES algorithm
+ # can only handle 8.
#
! # This setting is used in some of the obscure checks, and also to inform the
! # user on how big their new password should be, so it should be set in
! # accordance to the choice of algorithm.
#
! PASS_MAX_LEN 72
#
# List of groups to add to the user's supplementary group set
diff -c -r shadow-4.0.13/lib/getdef.c shadow-4.0.13-1/lib/getdef.c
*** shadow-4.0.13/lib/getdef.c 2005-08-31 12:24:56.000000000 -0500
--- shadow-4.0.13-1/lib/getdef.c 2005-10-24 19:28:37.000000000 -0500
***************
*** 51,56 ****
--- 51,62 ----
{"CONSOLE_GROUPS", NULL},
{"CONSOLE", NULL},
{"CREATE_HOME", NULL},
+ #ifdef HAVE_CRYPT_GENSALT
+ { "CRYPT_MAXSALT", NULL },
+ { "CRYPT_MINSALT", NULL },
+ { "CRYPT_PREFIX", NULL },
+ { "CRYPT_ROUNDS", NULL },
+ #endif /* HAVE_CRYPT_GENSALT */
{"DEFAULT_HOME", NULL},
{"ENV_PATH", NULL},
{"ENV_SUPATH", NULL},
***************
*** 94,100 ****
{"LOGIN_STRING", NULL},
{"MAIL_CHECK_ENAB", NULL},
{"MAIL_FILE", NULL},
! {"MD5_CRYPT_ENAB", NULL},
{"MOTD_FILE", NULL},
{"NOLOGINS_FILE", NULL},
{"OBSCURE_CHECKS_ENAB", NULL},
--- 100,108 ----
{"LOGIN_STRING", NULL},
{"MAIL_CHECK_ENAB", NULL},
{"MAIL_FILE", NULL},
! #ifndef HAVE_CRYPT_GENSALT
! { "MD5_CRYPT_ENAB", NULL },
! #endif /* ! HAVE_CRYPT_GENSALT */
{"MOTD_FILE", NULL},
{"NOLOGINS_FILE", NULL},
{"OBSCURE_CHECKS_ENAB", NULL},
diff -c -r shadow-4.0.13/libmisc/obscure.c shadow-4.0.13-1/libmisc/obscure.c
*** shadow-4.0.13/libmisc/obscure.c 2005-08-31 12:24:57.000000000 -0500
--- shadow-4.0.13-1/libmisc/obscure.c 2005-10-24 19:30:46.000000000 -0500
***************
*** 233,240 ****
--- 233,242 ----
Example: "password$%^&*123". So check it again, this time
truncated to the maximum length. Idea from npasswd. --marekm */
+ #ifndef HAVE_CRYPT_GENSALT
if (getdef_bool ("MD5_CRYPT_ENAB"))
return NULL; /* unlimited password length */
+ #endif
maxlen = getdef_num ("PASS_MAX_LEN", 8);
if (oldlen <= maxlen && newlen <= maxlen)
diff -c -r shadow-4.0.13/libmisc/salt.c shadow-4.0.13-1/libmisc/salt.c
*** shadow-4.0.13/libmisc/salt.c 2005-08-31 12:24:58.000000000 -0500
--- shadow-4.0.13-1/libmisc/salt.c 2005-10-24 19:44:23.000000000 -0500
***************
*** 3,15 ****
--- 3,108 ----
*
* Written by Marek Michalkiewicz <[EMAIL PROTECTED]>,
* public domain.
+ *
+ * Broken by Matt Dainty <[EMAIL PROTECTED]>
*/
+ #define _OW_SOURCE
+
#include <config.h>
#ident "$Id: salt.c,v 1.10 2005/08/31 17:24:58 kloczek Exp $"
#include <sys/time.h>
+ #ifdef HAVE_CRYPT_GENSALT
+ #include <errno.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+ #include <crypt.h>
+ #include "getdef.h"
+
+ /* Soopa-doopa salt generation function. There isn't anything algorithm
+ * specific in here, although it does require the Openwall-patched glibc to
+ * provide the crypt_gensalt() function, as well as make use of Blowfish-based
+ * hashing.
+ *
+ * All parameters can be customised from the /etc/login.defs file
+ *
+ * Written by Matt Dainty <[EMAIL PROTECTED]>
+ */
+ char *
+ crypt_make_salt(void)
+ {
+ char *result, *salt;
+ int fd, offset, minsalt, maxsalt, count;
+
+ minsalt = getdef_num( "CRYPT_MINSALT", 16 );
+ maxsalt = getdef_num( "CRYPT_MAXSALT", 32 );
+
+ if( minsalt > maxsalt ) {
+ fprintf( stderr, "Check the CRYPT_MINSALT and CRYPT_MAXSALT
settings!\n" );
+ exit(1);
+ }
+
+ if( ( salt = ( char * ) malloc( maxsalt ) ) == NULL ) {
+ fprintf( stderr, "Can't allocate %d bytes of memory\n", maxsalt
);
+ exit(1);
+ }
+
+ if( ( fd = open( RANDOM_FILE, O_RDONLY ) ) < 0 ) {
+ fprintf( stderr, "Can't open %s for reading\n", RANDOM_FILE );
+ free( salt );
+ exit(1);
+ }
+
+ offset = 0;
+ result = NULL;
+
+ while( !result ) {
+ while( offset < minsalt ) {
+ count = read( fd, &salt[offset], minsalt - offset );
+ if( count <= 0 ) {
+ if( errno == EINTR )
+ continue;
+ goto finish;
+ }
+ offset += count;
+ }
+ result = crypt_gensalt( getdef_str( "CRYPT_PREFIX" ),
+ getdef_num( "CRYPT_ROUNDS", 0 ),
+ salt, minsalt );
+
+ if( !result && errno == EINVAL ) {
+ if( minsalt < maxsalt ) {
+ minsalt++;
+ } else {
+ fprintf( stderr, "CRYPT_PREFIX or CRYPT_ROUNDS is
set incorrectly\n" );
+ goto finish;
+ }
+ }
+ }
+
+ finish:
+ if( salt )
+ free( salt );
+ if( fd )
+ close( fd );
+
+ /* XXX If we return the salt string as NULL, crypt will currently
+ * segfault, so if have we a NULL salt string, exit here.
+ * Otherwise, every invocation of crypt_make_salt() will have to
+ * check for a NULL return value.
+ *
+ * This way, I don't muck up any more code! :-)
+ */
+ if( result )
+ return result;
+
+ exit(1);
+ }
+ #elif 1 /* HAVE_CRYPT_GENSALT */
+
#include <stdlib.h>
#include "prototypes.h"
#include "defines.h"
***************
*** 44,46 ****
--- 137,140 ----
return result;
}
+ #endif
\ No newline at end of file
diff -c -r shadow-4.0.13/src/passwd.c shadow-4.0.13-1/src/passwd.c
*** shadow-4.0.13/src/passwd.c 2005-09-15 11:44:13.000000000 -0500
--- shadow-4.0.13-1/src/passwd.c 2005-10-24 19:36:20.000000000 -0500
***************
*** 236,244 ****
--- 236,246 ----
* for strength, unless it is the root user. This provides an escape
* for initial login passwords.
*/
+ #ifndef HAVE_CRYPT_GENSALT
if (getdef_bool ("MD5_CRYPT_ENAB"))
pass_max_len = 127;
else
+ #endif
pass_max_len = getdef_num ("PASS_MAX_LEN", 8);
if (!qflg)
