pam/patches/pam-1.1.5-unix-no-fallback.patch

   1 diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml
   2 --- Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback 2011-06-21 11:04:56.000000000 +0200
   3 +++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml     2012-05-09 11:54:34.442036404 +0200
   4 @@ -265,11 +265,10 @@
   5          <listitem>
   6            <para>
   7              When a user changes their password next,
   8 -            encrypt it with the SHA256 algorithm. If the
   9 -            SHA256 algorithm is not known to the <citerefentry>
  10 +            encrypt it with the SHA256 algorithm. The
  11 +            SHA256 algorithm must be supported by the <citerefentry>
  12             <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
  13 -            </citerefentry> function,
  14 -            fall back to MD5.
  15 +            </citerefentry> function.
  16            </para>
  17          </listitem>
  18        </varlistentry>
  19 @@ -280,11 +279,10 @@
  20          <listitem>
  21            <para>
  22              When a user changes their password next,
  23 -            encrypt it with the SHA512 algorithm. If the
  24 -            SHA512 algorithm is not known to the <citerefentry>
  25 +            encrypt it with the SHA512 algorithm. The
  26 +            SHA512 algorithm must be supported by the <citerefentry>
  27             <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
  28 -            </citerefentry> function,
  29 -            fall back to MD5.
  30 +            </citerefentry> function.
  31            </para>
  32          </listitem>
  33        </varlistentry>
  34 @@ -295,11 +293,10 @@
  35          <listitem>
  36            <para>
  37              When a user changes their password next,
  38 -            encrypt it with the blowfish algorithm. If the
  39 -            blowfish algorithm is not known to the <citerefentry>
  40 +            encrypt it with the blowfish algorithm. The
  41 +            blowfish algorithm must be supported by the <citerefentry>
  42             <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
  43 -            </citerefentry> function,
  44 -            fall back to MD5.
  45 +            </citerefentry> function.
  46            </para>
  47          </listitem>
  48        </varlistentry>
  49 diff -up Linux-PAM-1.1.5/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.1.5/modules/pam_unix/passverify.c
  50 --- Linux-PAM-1.1.5/modules/pam_unix/passverify.c.no-fallback   2012-05-09 11:48:12.409632377 +0200
  51 +++ Linux-PAM-1.1.5/modules/pam_unix/passverify.c       2012-05-09 11:48:36.953172291 +0200
  52 @@ -427,15 +427,14 @@ PAMH_ARG_DECL(char * create_password_has
  53         if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
  54                 /* libxcrypt/libc doesn't know the algorithm, use MD5 */
  55                 pam_syslog(pamh, LOG_ERR,
  56 -                          "Algo %s not supported by the crypto backend, "
  57 -                          "falling back to MD5\n",
  58 +                          "Algo %s not supported by the crypto backend.\n",
  59                            on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
  60                            on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
  61                            on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
  62                 if(sp) {
  63                    memset(sp, '\0', strlen(sp));
  64                 }
  65 -               return crypt_md5_wrapper(password);
  66 +               return NULL;
  67         }
  68
  69         return x_strdup(sp);