Submitted By: Bradley Worley <geekysuavo at gmail dot com> Date: 2005-10-24 Initial Package Version: 4.0.13 Upstream Status: Not submitted Origin: http://www.linuxfromscratch.org/patches/downloads/shadow/\ shadow-4.0.7-crypt_blowfish-1.patch Description: Adds blowfish passwords to shadow. This depends on a blowfish library. See: http://www.openwall.com/crypt/ or http://ftp.suse.com/pub/people/kukuk/pam/libxcrypt/
If you use libxcrypt you need to do: sed -e 's/lcrypt/lxcrypt/g' -i configure There's a hint for this patch here: http://www.linuxfromscratch.org/hints/downloads/files/blowfish-passwords.txt diff -c -r shadow-4.0.13/config.h.in shadow-4.0.13-1/config.h.in *** shadow-4.0.13/config.h.in 2005-10-04 12:02:57.000000000 -0500 --- shadow-4.0.13-1/config.h.in 2005-10-24 19:00:23.000000000 -0500 *************** *** 7,12 **** --- 7,15 ---- /* Path for faillog file. */ #undef FAILLOG_FILE + /* Defined if you have crypt blowfish. */ + #undef HAVE_CRYPT_GENSALT + /* Define to the type of elements in the array set by `getgroups'. Usually this is either `int' or `gid_t'. */ #undef GETGROUPS_T *************** *** 299,304 **** --- 302,310 ---- /* Path to passwd program. */ #undef PASSWD_PROGRAM + /* Where is /dev/urandom or a /dev/urandom-alike. */ + #undef RANDOM_FILE + /* Define to 1 if the C compiler supports function prototypes. */ #undef PROTOTYPES diff -c -r shadow-4.0.13/configure shadow-4.0.13-1/configure *** shadow-4.0.13/configure 2005-09-28 07:46:31.000000000 -0500 --- shadow-4.0.13-1/configure 2005-10-24 19:21:05.000000000 -0500 *************** *** 462,468 **** # include <unistd.h> #endif" ! ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE LN_S YACC CPP EGREP U ANSI2KNR build build_cpu build_vendor build_os host host_cpu host_vendor host_os ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CXX CXXFLAGS ac_ct_CXX CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL LIBOBJS XSLTPROC XML_CATALOG_FILE XMLCATALOG ENABLE_REGENERATE_MAN_TRUE ENABLE_REGENERATE_MAN_FALSE LIBCRYPT LIBAUDIT LIBCRACK LIBSELINUX LIBPAM LIBSKEY LIBMD MKINSTALLDIRS USE_NLS MSGFMT GMSGFMT XGETTEXT MSGMERGE INTL_MACOSX_LIBS LIBICONV LTLIBICONV INTLLIBS LIBINTL LTLIBINTL POSUB LTLIBOBJS' ac_subst_files='' # Initialize some variables set by options. --- 462,468 ---- # include <unistd.h> #endif" ! ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE LN_S YACC CPP EGREP U ANSI2KNR build build_cpu build_vendor build_os host host_cpu host_vendor host_os ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CXX CXXFLAGS ac_ct_CXX CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL LIBOBJS RANDOM_FILE LIBCRYPT LIBCRACK LIBSKEY LIBMD LIBSELINUX LIBPAM MKINSTALLDIRS USE_NLS MSGFMT GMSGFMT XGETTEXT MSGMERGE LIBICONV LTLIBICONV INTLLIBS LIBINTL LTLIBINTL POSUB LTLIBOBJS' ac_subst_files='' # Initialize some variables set by options. *************** *** 1052,1057 **** --- 1052,1058 ---- --with-libpam use libpam for PAM support [default=yes if found] --with-selinux use SELinux support [default=autodetect] + --with-random=FILE read randomness from FILE (default=/dev/urandom) --with-skey use S/Key support [default=no] --with-libcrack use libcrack [default=yes if found and if PAM not enabled] *************** *** 4521,4527 **** ;; *-*-irix6*) # Find out which ABI we are using. ! echo '#line 4524 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? --- 4522,4528 ---- ;; *-*-irix6*) # Find out which ABI we are using. ! echo '#line 4514 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? *************** *** 5627,5633 **** # Provide some information about the compiler. ! echo "$as_me:5630:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5 --- 5628,5634 ---- # Provide some information about the compiler. ! echo "$as_me:5631:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5 *************** *** 23303,23308 **** --- 23304,23350 ---- with_libcrack=no fi; + # Check whether --with-random or --without-random was given. + if test "${with_random+set}" = set; then + withval="$with_random" + RANDOM_FILE="$withval" + else + + echo "$as_me:$LINENO: checking for \"/dev/urandom\"" >&5 + echo $ECHO_N "checking for \"/dev/urandom\"... $ECHO_C" >&6 + if test "${ac_cv_file___dev_urandom_+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 + else + test "$cross_compiling" = yes && + { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5 + echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} + { (exit 1); exit 1; }; } + if test -r ""/dev/urandom""; then + ac_cv_file___dev_urandom_=yes + else + ac_cv_file___dev_urandom_=no + fi + fi + echo "$as_me:$LINENO: result: $ac_cv_file___dev_urandom_" >&5 + echo "${ECHO_T}$ac_cv_file___dev_urandom_" >&6 + if test $ac_cv_file___dev_urandom_ = yes; then + + RANDOM_FILE="/dev/urandom"; + + + fi + + + + fi; + if test -n "$RANDOM_FILE" ; then + + cat >>confdefs.h <<_ACEOF + #define RANDOM_FILE "$RANDOM_FILE" + _ACEOF + + fi + echo "$as_me:$LINENO: checking for library containing inet_ntoa" >&5 echo $ECHO_N "checking for library containing inet_ntoa... $ECHO_C" >&6 *************** *** 23929,23934 **** --- 23971,24046 ---- { (exit 1); exit 1; }; } fi + echo "$as_me:$LINENO: checking for crypt_gensalt in -lcrypt" >&5 + echo $ECHO_N "checking for crypt_gensalt in -lcrypt... $ECHO_C" >&6 + if test "${ac_cv_lib_crypt_crypt_gensalt+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 + else + ac_check_lib_save_LIBS=$LIBS + LIBS="-lcrypt $LIBS" + cat >conftest.$ac_ext <<_ACEOF + /* confdefs.h. */ + _ACEOF + cat confdefs.h >>conftest.$ac_ext + cat >>conftest.$ac_ext <<_ACEOF + /* end confdefs.h. */ + + /* Override any gcc2 internal prototype to avoid an error. */ + #ifdef __cplusplus + extern "C" + #endif + /* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ + char crypt_gensalt (); + int + main () + { + crypt_gensalt (); + ; + return 0; + } + _ACEOF + rm -f conftest.$ac_objext conftest$ac_exeext + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_crypt_crypt_gensalt=yes + else + echo "$as_me: failed program was:" >&5 + sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_crypt_crypt_gensalt=no + fi + rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS=$ac_check_lib_save_LIBS + fi + echo "$as_me:$LINENO: result: $ac_cv_lib_crypt_crypt_gensalt" >&5 + echo "${ECHO_T}$ac_cv_lib_crypt_crypt_gensalt" >&6 + if test $ac_cv_lib_crypt_crypt_gensalt = yes; then + cat >>confdefs.h <<\_ACEOF + #define HAVE_CRYPT_GENSALT 1 + _ACEOF + + fi if test "$with_audit" = "yes"; then *************** *** 27568,27573 **** --- 27680,27686 ---- s,@ac_ct_F77@,$ac_ct_F77,;t t s,@LIBTOOL@,$LIBTOOL,;t t s,@LIBOBJS@,$LIBOBJS,;t t + s,@RANDOM_FILE@,$RANDOM_FILE,;t t s,@XSLTPROC@,$XSLTPROC,;t t s,@XML_CATALOG_FILE@,$XML_CATALOG_FILE,;t t s,@XMLCATALOG@,$XMLCATALOG,;t t diff -c -r shadow-4.0.13/etc/login.defs shadow-4.0.13-1/etc/login.defs *** shadow-4.0.13/etc/login.defs 2005-09-01 14:57:45.000000000 -0500 --- shadow-4.0.13-1/etc/login.defs 2005-10-24 19:25:44.000000000 -0500 *************** *** 242,254 **** PASS_ALWAYS_WARN yes # - # Number of significant characters in the password for crypt(). - # Default is 8, don't change unless your crypt() is better. - # Ignored if MD5_CRYPT_ENAB set to "yes". - # - #PASS_MAX_LEN 8 - - # # Require password before chfn/chsh can make any changes. # CHFN_AUTH yes --- 242,247 ---- *************** *** 268,282 **** # to use the default which is just "Password: ". #LOGIN_STRING "%s's Password: " # ! # Only works if compiled with MD5_CRYPT defined: ! # If set to "yes", new passwords will be encrypted using the MD5-based ! # algorithm compatible with the one used by recent releases of FreeBSD. ! # It supports passwords of unlimited length and longer salt strings. ! # Set to "no" if you need to copy encrypted passwords to other systems ! # which don't understand the new algorithm. Default is "no". # ! #MD5_CRYPT_ENAB no # # List of groups to add to the user's supplementary group set --- 261,321 ---- # to use the default which is just "Password: ". #LOGIN_STRING "%s's Password: " + # Each password entry contains a prefix that specifies the hashing algorithm + # used to create the remaining characters/bytes. Use this setting to specify + # which hashing algorithm is used to create new passwords. + # + # The default here is to use the Blowfish-based algorithm, (which currently + # requires you to be running a patched version of glibc). To use the slightly + # more compatible MD5-based algorithm, you would set this to $1$. To be + # completely backwards compatible and use the traditional DES-based hashing, + # you should set this value to an empty string, but be warned, passwords using + # this algorithm offer very little security. + # + CRYPT_PREFIX "$2a$" + + # For hashing algorithms that can alter their complexity, use this setting to + # achieve a balance between the security of the password and performance on the + # host system. + # + # This value is interpreted by each algorithm in specific ways. With the + # Blowfish algorithm, it specifies the number of rounds as a base-2 logarithm + # of the actual iteration count, so 12 actually refers to 2^12. Altering the + # value to 11 would therefore halve the number of iterations used to 2^11. + # + # Make sure that if you alter the above setting, this setting is also + # appropriate. For algorithms that have fixed iteration counts, or to + # enforce the use of a low default value, use a setting of 0. + # + CRYPT_ROUNDS 12 + + # + # All algorithms require varying amounts of random bytes known as salt. For + # example the DES-based algorithm requires only 12-bits, (1½ bytes), whereas + # the Blowfish-based algorithm requires 128-bits, (16 bytes). + # + # If an algorithm doesn't receive enough salt, more will be collected from + # /dev/urandom, a byte at a time until it's satisfied. If you know how much + # is enough to satisfy even the most hungry of algorithms locally available, + # setting it here will speed up the generation of passwords. + # + # A maximum is also provided to enforce an upper limit on this to prevent a + # wayward algorithm munching all the randomness unnecessarily. + # + CRYPT_MINSALT 16 + CRYPT_MAXSALT 32 + + # + # Number of significant characters in the password for crypt(). MD5 can + # effectively cope with unlimited length passwords, but a limit of ~127 is + # reasonable. Blowfish can handle up to 72 characters, and the DES algorithm + # can only handle 8. # ! # This setting is used in some of the obscure checks, and also to inform the ! # user on how big their new password should be, so it should be set in ! # accordance to the choice of algorithm. # ! PASS_MAX_LEN 72 # # List of groups to add to the user's supplementary group set diff -c -r shadow-4.0.13/lib/getdef.c shadow-4.0.13-1/lib/getdef.c *** shadow-4.0.13/lib/getdef.c 2005-08-31 12:24:56.000000000 -0500 --- shadow-4.0.13-1/lib/getdef.c 2005-10-24 19:28:37.000000000 -0500 *************** *** 51,56 **** --- 51,62 ---- {"CONSOLE_GROUPS", NULL}, {"CONSOLE", NULL}, {"CREATE_HOME", NULL}, + #ifdef HAVE_CRYPT_GENSALT + { "CRYPT_MAXSALT", NULL }, + { "CRYPT_MINSALT", NULL }, + { "CRYPT_PREFIX", NULL }, + { "CRYPT_ROUNDS", NULL }, + #endif /* HAVE_CRYPT_GENSALT */ {"DEFAULT_HOME", NULL}, {"ENV_PATH", NULL}, {"ENV_SUPATH", NULL}, *************** *** 94,100 **** {"LOGIN_STRING", NULL}, {"MAIL_CHECK_ENAB", NULL}, {"MAIL_FILE", NULL}, ! {"MD5_CRYPT_ENAB", NULL}, {"MOTD_FILE", NULL}, {"NOLOGINS_FILE", NULL}, {"OBSCURE_CHECKS_ENAB", NULL}, --- 100,108 ---- {"LOGIN_STRING", NULL}, {"MAIL_CHECK_ENAB", NULL}, {"MAIL_FILE", NULL}, ! #ifndef HAVE_CRYPT_GENSALT ! { "MD5_CRYPT_ENAB", NULL }, ! #endif /* ! HAVE_CRYPT_GENSALT */ {"MOTD_FILE", NULL}, {"NOLOGINS_FILE", NULL}, {"OBSCURE_CHECKS_ENAB", NULL}, diff -c -r shadow-4.0.13/libmisc/obscure.c shadow-4.0.13-1/libmisc/obscure.c *** shadow-4.0.13/libmisc/obscure.c 2005-08-31 12:24:57.000000000 -0500 --- shadow-4.0.13-1/libmisc/obscure.c 2005-10-24 19:30:46.000000000 -0500 *************** *** 233,240 **** --- 233,242 ---- Example: "password$%^&*123". So check it again, this time truncated to the maximum length. Idea from npasswd. --marekm */ + #ifndef HAVE_CRYPT_GENSALT if (getdef_bool ("MD5_CRYPT_ENAB")) return NULL; /* unlimited password length */ + #endif maxlen = getdef_num ("PASS_MAX_LEN", 8); if (oldlen <= maxlen && newlen <= maxlen) diff -c -r shadow-4.0.13/libmisc/salt.c shadow-4.0.13-1/libmisc/salt.c *** shadow-4.0.13/libmisc/salt.c 2005-08-31 12:24:58.000000000 -0500 --- shadow-4.0.13-1/libmisc/salt.c 2005-10-24 19:44:23.000000000 -0500 *************** *** 3,15 **** --- 3,108 ---- * * Written by Marek Michalkiewicz <[EMAIL PROTECTED]>, * public domain. + * + * Broken by Matt Dainty <[EMAIL PROTECTED]> */ + #define _OW_SOURCE + #include <config.h> #ident "$Id: salt.c,v 1.10 2005/08/31 17:24:58 kloczek Exp $" #include <sys/time.h> + #ifdef HAVE_CRYPT_GENSALT + #include <errno.h> + #include <sys/types.h> + #include <sys/stat.h> + #include <fcntl.h> + #include <crypt.h> + #include "getdef.h" + + /* Soopa-doopa salt generation function. There isn't anything algorithm + * specific in here, although it does require the Openwall-patched glibc to + * provide the crypt_gensalt() function, as well as make use of Blowfish-based + * hashing. + * + * All parameters can be customised from the /etc/login.defs file + * + * Written by Matt Dainty <[EMAIL PROTECTED]> + */ + char * + crypt_make_salt(void) + { + char *result, *salt; + int fd, offset, minsalt, maxsalt, count; + + minsalt = getdef_num( "CRYPT_MINSALT", 16 ); + maxsalt = getdef_num( "CRYPT_MAXSALT", 32 ); + + if( minsalt > maxsalt ) { + fprintf( stderr, "Check the CRYPT_MINSALT and CRYPT_MAXSALT settings!\n" ); + exit(1); + } + + if( ( salt = ( char * ) malloc( maxsalt ) ) == NULL ) { + fprintf( stderr, "Can't allocate %d bytes of memory\n", maxsalt ); + exit(1); + } + + if( ( fd = open( RANDOM_FILE, O_RDONLY ) ) < 0 ) { + fprintf( stderr, "Can't open %s for reading\n", RANDOM_FILE ); + free( salt ); + exit(1); + } + + offset = 0; + result = NULL; + + while( !result ) { + while( offset < minsalt ) { + count = read( fd, &salt[offset], minsalt - offset ); + if( count <= 0 ) { + if( errno == EINTR ) + continue; + goto finish; + } + offset += count; + } + result = crypt_gensalt( getdef_str( "CRYPT_PREFIX" ), + getdef_num( "CRYPT_ROUNDS", 0 ), + salt, minsalt ); + + if( !result && errno == EINVAL ) { + if( minsalt < maxsalt ) { + minsalt++; + } else { + fprintf( stderr, "CRYPT_PREFIX or CRYPT_ROUNDS is set incorrectly\n" ); + goto finish; + } + } + } + + finish: + if( salt ) + free( salt ); + if( fd ) + close( fd ); + + /* XXX If we return the salt string as NULL, crypt will currently + * segfault, so if have we a NULL salt string, exit here. + * Otherwise, every invocation of crypt_make_salt() will have to + * check for a NULL return value. + * + * This way, I don't muck up any more code! :-) + */ + if( result ) + return result; + + exit(1); + } + #elif 1 /* HAVE_CRYPT_GENSALT */ + #include <stdlib.h> #include "prototypes.h" #include "defines.h" *************** *** 44,46 **** --- 137,140 ---- return result; } + #endif \ No newline at end of file diff -c -r shadow-4.0.13/src/passwd.c shadow-4.0.13-1/src/passwd.c *** shadow-4.0.13/src/passwd.c 2005-09-15 11:44:13.000000000 -0500 --- shadow-4.0.13-1/src/passwd.c 2005-10-24 19:36:20.000000000 -0500 *************** *** 236,244 **** --- 236,246 ---- * for strength, unless it is the root user. This provides an escape * for initial login passwords. */ + #ifndef HAVE_CRYPT_GENSALT if (getdef_bool ("MD5_CRYPT_ENAB")) pass_max_len = 127; else + #endif pass_max_len = getdef_num ("PASS_MAX_LEN", 8); if (!qflg) -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
