pam_unix: Better approach to add crypt_default method, if supported. #84
Conversation
libxcrypt since v4.4.0 supports a default method for its gensalt function on most system configurations. As the default method is to be considered the strongest available hash method, it should be preferred over all other hash methods supported by pam. * modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default. * modules/pam_unix/passverify.c: Add crypt_default method. * modules/pam_unix/support.c (_set_ctrl): Issue an error to syslog, if the crypt_default method is not supported by the system's libcrypt * modules/pam_unix/support.h: Likewise.
|
Thinking about this I believe this is a wrong approach. We already provide a kind-of default method which is obtained from /etc/login.defs. Why not handle the default method from libcrypt in a similar way. I would not add a new option at all, but just call the crypt_preferred_method() if available and use its value. You would still need to indicate somehow (via ctrl flag) that no algo option was used with the pam module because the value from login.defs should be overriden by the libcrypt preferred method. The preference order should be:
There are also other possibilities how to handle the 4. - make it build-time option - using a define that can be passed into build should be sufficient. |
|
@besser82 If we could do something with this one before the 1.4.0 release it would be nice. But I'd like the release to be completed during March. |
|
@t8m working on it. =) |
libxcrypt since v4.4.0 supports a default method for its gensalt function on most system configurations.
As the default method is to be considered the strongest available hash method, it should be preferred over all other hash methods supported by pam.
the crypt_default method is not supported by the system's libcrypt
@t8m This is the new version of #78.