On Tue, 2013-02-05 at 14:00 +0100, Thorsten Kukuk wrote:
Hi,
I find it very disturbing, that you need to manual maintain
the used encryption hash in /etc/login.defs for shadow and
as pam_unix.so argument. Since we have already two modules
reading /etc/login.defs, I made a small change to pam_unix.so:
The default encryption hash is taken from /etc/login.defs and
can be overwritten with the pam_unix.so argument. If there is no
entry in /etc/login.defs and no argument DES is still the default.
So this change should be pretty backward compatible.
Any opinions? Most of the code is from the other PAM modules, maybe
we should add the /etc/login.defs parsing functions to libpam itself
sometimes.
This is great. I've always wanted to implement this but never got to
it.
+ if (buf == NULL)
+ {
+ buflen = BUF_SIZE;
+ buf = malloc (buflen);
+ }
+ buf[0] = '\0';
There is possible NULL pointer dereference if malloc() fails.
+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPTION_METHOD value
[%s]", val);
The login.defs option is ENCRYPT_METHOD. You have the same typo in the pam_unix.8.xml.
You're also missing free(val); call in the _set_ctrl().
If you fix these it should be OK to commit.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb