Commit Graph

103 Commits

Author SHA1 Message Date
christos
19917e71c5 use pw_gensalt() and don't dig into libcrypt. 2005-01-11 22:42:30 +00:00
dsl
e2a58c7a44 Add (unsigned char) cast to ctype functions
A password containg 80...ff could be reported (incorrectly) as being
all lower case.
2004-10-30 21:05:53 +00:00
lha
f911795b30 Switch to krb5_set_password that can handle the RFC3244 (and the older
change password protocol)
2004-10-05 14:12:56 +00:00
sjg
3a0c68edfd Add support for SHA1 hashed passwords.
The algorithm used is essentially PBKDF1 from RFC 2898 but using
hmac_sha1 rather than SHA1 directly (suggested by smb@research.att.com).

 * The format of the encrypted password is:
 * $<tag>$<iterations>$<salt>$<digest>
 *
 * where:
 *      <tag>           is "sha1"
 *      <iterations>    is an unsigned int identifying how many rounds
 *                      have been applied to <digest>.  The number
 *                      should vary slightly for each password to make
 *                      it harder to generate a dictionary of
 *                      pre-computed hashes.  See crypt_sha1_iterations.
 *      <salt>          up to 64 bytes of random data, 8 bytes is
 *                      currently considered more than enough.
 *      <digest>        the hashed password.

hmac.c implementes HMAC as defined in RFC 2104 and includes a unit
test for both hmac_sha1 and hmac_sha1 using a selection of the Known
Answer Tests from RFC 2202.

It is worth noting that to be FIPS compliant the hmac key (password)
should be 10-20 chars.
2004-07-02 00:05:23 +00:00
agc
89aaa1bb64 Move UCB-licensed code from 4-clause to 3-clause licence.
Patches provided by Joel Baker in PR 22365, verified by myself.
2003-08-07 11:13:06 +00:00
itojun
f4401cd869 upgrade openssl to 0.9.7b. (AES is now supported)
alter des.h to be friendly with openssl/des.h (you can include both in the
same file)
make libkrb to depend on libdes.  bump major.
massage various portioin of heimdal to be friendly with openssl 0.9.7b.
2003-07-24 14:16:30 +00:00
lukem
59efd8a9dd remove unnecessary rules 2003-07-22 12:34:40 +00:00
itojun
6d415bc4b0 use bounded string op 2003-07-14 11:54:06 +00:00
lha
508f668a25 Don't build a separate kpasswd program, passwd can handle Kerberos
password changing. Fixes last part of bin/14988.
2003-04-06 16:35:37 +00:00
lha
919a5f7ede Document when Kerberos will be used.
fixes part of bin/14988
2003-04-05 18:06:52 +00:00
itojun
5f2d0b666f error handling on strdup failure 2002-11-16 15:59:26 +00:00
itojun
9593086444 use strlcpy 2002-11-16 04:34:13 +00:00
itojun
e91a21c27c add DPADD. 2002-10-23 01:25:35 +00:00
provos
d15e0fa262 password hashing utility that allows des, md5 or bcrypt passwords to be
created in scripts;  tool originally from downsj@openbsd.org;
approved by perry.
2002-10-01 20:48:58 +00:00
grant
be8ae688ae New sentence, new line. 2002-09-30 11:08:56 +00:00
itojun
3be26b82ef use arc4random 2002-05-28 11:19:17 +00:00
itojun
c89c003ed2 support bcrypt password. can be chosen by "blowfish" keyword in passwd.conf.
from openbsd
2002-05-24 04:02:47 +00:00
thorpej
9c33b55e7c Split the notion of building Hesiod, Kerberos, S/key, and YP
infrastructure and using that infrastructure in programs.

	* MKHESIOD, MKKERBEROS, MKSKEY, and MKYP control building
	  of the infratsructure (libraries, support programs, etc.)

	* USE_HESIOD, USE_KERBEROS, USE_SKEY, and USE_YP control
	  building of support for using the corresponding API
	  in various libraries/programs that can use it.

As discussed on tech-toolchain.
2002-03-22 18:10:19 +00:00
wiz
aded0d2cce Whitespace cleanup. 2001-12-01 16:43:07 +00:00
ad
28a9c7f8da Slight change to previous: rebuild the insecure password db if the expiry
time has changed, not just been set.
2001-08-18 19:42:40 +00:00
ad
1e8e78ed07 Update for pw_mkdb() change: restrict updates to one user's records and/or
the secure database where appropriate.
2001-08-18 19:35:32 +00:00
simonb
a378517ea4 80 column police. 2001-03-28 03:17:41 +00:00
cgd
a8ec668ddf convert to use getprogname() 2001-02-19 23:03:42 +00:00
cgd
c52d4f59e8 __progname not used here, so don't extern it 2001-02-13 00:14:58 +00:00
fvdl
176686cd4f In krb5_end, don't try to free the krb5 context if it's not yet
been initialized. Fixes coredump when passwd is called as 'yppasswd'.
2000-11-18 19:29:20 +00:00
simonb
9b22175a26 Remove INSTALLFLAGS=-fschg, as per change to usr.bin/ssh/ssh/Makefile. 2000-10-18 00:24:18 +00:00
ad
ec40993b05 Back out previous. 2000-10-09 11:14:59 +00:00
ad
6be1fe9169 Fix warning message. 2000-10-09 11:14:17 +00:00
ad
0db0171979 Back out previous. 2000-10-09 11:14:16 +00:00
ad
7f700a8518 Document new behaviour WRT password expiry, and Xr login.conf. 2000-09-21 11:13:06 +00:00
ad
f03c136f00 When not running as the super-user: if the user's password has expired or is
due to expire within _PASSWORD_WARNDAYS (or the setting from login.conf),
force the user to set a different password than the one they are currently
using. (Yes, it's actually worthwhile doing this.)
2000-09-21 11:11:49 +00:00
ad
5ab843adef - sizeof(), not constants.
- snprintf() will always terminate the output string.
- Spacing.
2000-09-18 16:00:41 +00:00
assar
6d7f2da1a1 remove -lvers, it's not used 2000-08-03 22:56:29 +00:00
ad
6b38e4b314 __RCSID(). 2000-08-03 08:25:41 +00:00
assar
549a4d9cdc update build infrastructure for heimdal 0.3a 2000-08-03 04:02:29 +00:00
ad
82fb41b688 English. 2000-07-11 12:12:18 +00:00
ad
240f3596cb Use ':' as group prefix; suggested by hubertf. 2000-07-06 13:09:46 +00:00
ad
17ae5d7c69 Adapt to addition of passwd.conf. 2000-07-06 11:20:30 +00:00
ad
34e4fc5261 - Pull in pwd.h since `struct passwd' is now used in extern.h.
- Use pwd_gensalt().
2000-07-06 11:19:39 +00:00
ad
44f550958a Declare pwd_gensalt(). 2000-07-06 11:17:25 +00:00
ad
a7d94ddf80 Add pwd_gensalt() - generates password salt/setting for crypt(), based upon
target user and information obtained from passwd.conf. From OpenBSD.
2000-07-06 11:16:50 +00:00
matt
fcd0fb118f Make gcc 2.96 (and maybe earlier) happier. Include <stdlib.h>,<string.>,
etc. as appropriate to get exit,srncmp,abs,abort,etc.
Add -I${.CURDIR} to a few Makefiles
2000-07-03 02:51:12 +00:00
veego
f3b06ab74b Add a MKKERBEROS check to enable/disable kerberos support during the build. 2000-06-24 06:52:10 +00:00
thorpej
e7d6b96938 Merge a bunch of things from crypto-us and crypto-intl into basesrc,
adding support for Heimdal/KTH Kerberos where easy to do so.  Eliminate
bsd.crypto.mk.

There is still a bunch more work to do, but crypto is now more-or-less
fully merged into the base NetBSD distribution.
2000-06-20 06:00:24 +00:00
simonb
d88dfea295 Don't declare 'extern opt*' getopt variables. 2000-04-14 06:11:07 +00:00
joda
d8c128f4a5 use NULL 2000-03-01 12:46:36 +00:00
aidan
919f6272de Modularize password changing mechanisms, as proposed in
<20000130122641.A8134@xanadu.kublai.com>:
Subject: PROPOSAL: making passwd pluggable (sort of)
Date: Sun, 30 Jan 2000 12:26:41 -0500
2000-02-14 04:36:20 +00:00
aidan
b817536785 Separate kerberos5 implementation from kerberos4. 2000-01-26 01:18:48 +00:00
mjl
4b9294447c Wrap login.conf database access in ifdef LOGIN_CAP. 2000-01-12 05:13:32 +00:00
mjl
e8a1b04582 Changes to passwd(1) for login.conf. Supported capabilities are
minpasswordlen and passwordtime (expiry time).
2000-01-12 05:04:41 +00:00