Bug 1119289
| Summary: | pam_userdb works only with DES-crypt despite crypt() supporting other hash algorithms too | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Marcel Kolaja <mkolaja> |
| Component: | pam | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | dapospis, tmraz |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pam-1.1.1-19.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause:
pam_userdb too strictly handled the call to the crypt() function not expecting modern crypt hash formats.
Consequence:
pam_userdb was not able to support any other hash algorithms supported by glibc for the user password hashes.
Fix:
The code handling the crypt() function call was improved.
Result:
pam_userdb module now supports any password hash formats supported by the glibc crypt() function.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-14 08:10:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Rather than fixing the documentation the code should be fixed with backport of the code changes from RHEL-7. You can easily create a SHA512 hashed password with python script:
import crypt
crypt.crypt('<password>', '<salt>')
Where salt is $6$<any-16-random-characters>$'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1579.html |
Description of problem: The crypt option definiton in the pam_userdb man page states that if value crypt is used, passwords should be stored in crypt(3) form. It supports, however, DES-crypt only, while crypt() supports a couple of other algorithms too according to the crypt(3) man page. Version-Release number of selected component (if applicable): pam-1.1.1-17.el6.x86_64 How reproducible: always Steps to Reproduce: 1. $ man pam_userdb Actual results: incorrect definition of the crypt option Expected results: correct definition of the crypt option Additional info: In the PAM version in RHEL 6, there is a constraint before crypt() is called: if (data.dsize != 13) { compare = -2; This constraint matches exactly what is expected from a DES-crypt encrypted password. Its length must be exactly 13 characters. That's why it doesn't support other algorithms even though crypt() does support them and crypt() is used. Some changes to the pam_userdb code would have to be done in order to support other algorithms too. Looking at PAM in RHEL 7, this constraint is changed along with some other changes in the relevant part of the code, so it's possible that PAM in RHEL 7 supports other algorithms (I didn't try it, that is just what I guess from the code): if (data.dsize < 13) { compare = -2; Man pages for RHEL 6 and RHEL 7 define the crypt option in the same way though.