Commit Graph

118 Commits

Author SHA1 Message Date
jnemeth 2e994af332 Display a message indicating who's password is being changed, as per
Jeremy Reed on tech-userlevel.
2007-05-06 09:19:44 +00:00
wiz 54cd24faa5 Get rid of more Kerberos 4 code. 2006-03-23 23:33:28 +00:00
hubertf 8c061da318 Xref pwhash(1),
pointed out by Stefan Schumacher at the Chemnitz Linuxdays
2006-03-07 01:52:09 +00:00
he 8e8728c45c Introduce PAM_STATIC_LDADD and PAM_STATIC_DPADD. When compiling
with MKPIC=no, possibly because the target does not support shared
libraries, these include libraries required to resolve all symbols
which end up referenced from PAM-using applications.  The libraries
presently required are -lcrypt, -lrpcsvc and -lutil.

Add use of these variables which are currently set up to use PAM,
so that they compile when MKPIC=no.

Also, in the telnetd case, reorder the order of the libraries, so
that libtelnet.a comes before -ltermcap and -lutil, again to fix
link error when MKPIC=no.

Discussed with thorpej and christos.
2005-03-04 20:41:08 +00:00
wiz a5924c4e9e YP password -> NIS password. Ok'd by thorpej. 2005-02-28 15:19:59 +00:00
wiz 8168d38f56 Remove COPTS+=-g. 2005-02-28 10:37:49 +00:00
wiz b34e537add infomration -> information. 2005-02-28 10:37:34 +00:00
thorpej feee050f0e user -> principal in the krb5 synopsis. 2005-02-28 02:02:43 +00:00
thorpej c80d0a6dc7 Fix a typo, and sort SEE ALSO correctly. 2005-02-28 02:01:35 +00:00
thorpej 4e63fd43ef Magor rework of passwd(1) for the PAM case. Add "-d <database>" option,
similar to Solaris's "-r <repository" or Mac OS X's "-i <infosystem>",
to select the password database (files, nis, krb5).  Otherwise, we default
to using whatever PAM decides.
2005-02-26 07:19:25 +00:00
thorpej 8c9dd4bba7 Add missing RCS ID. 2005-02-24 05:11:34 +00:00
wiz 823387f1c8 Drop some whitespace
XXX: -p not described.
2005-02-22 01:49:20 +00:00
christos 11e49612c8 Add a PAM passwd module.
XXX: This avoids the issue of supporting separate -l -y -k, but is the behavior
correct? Should passwd -p disable all other passwd methods? Should it become
the default if compiled in?
2005-02-22 01:08:43 +00:00
christos 5b5b914e5a adapt to pw_gensalt() changes. 2005-01-12 03:34:58 +00:00
christos 59bf3abf20 gc unused file. 2005-01-12 00:38:17 +00:00
christos 19917e71c5 use pw_gensalt() and don't dig into libcrypt. 2005-01-11 22:42:30 +00:00
dsl e2a58c7a44 Add (unsigned char) cast to ctype functions
A password containg 80...ff could be reported (incorrectly) as being
all lower case.
2004-10-30 21:05:53 +00:00
lha f911795b30 Switch to krb5_set_password that can handle the RFC3244 (and the older
change password protocol)
2004-10-05 14:12:56 +00:00
sjg 3a0c68edfd Add support for SHA1 hashed passwords.
The algorithm used is essentially PBKDF1 from RFC 2898 but using
hmac_sha1 rather than SHA1 directly (suggested by smb@research.att.com).

 * The format of the encrypted password is:
 * $<tag>$<iterations>$<salt>$<digest>
 *
 * where:
 *      <tag>           is "sha1"
 *      <iterations>    is an unsigned int identifying how many rounds
 *                      have been applied to <digest>.  The number
 *                      should vary slightly for each password to make
 *                      it harder to generate a dictionary of
 *                      pre-computed hashes.  See crypt_sha1_iterations.
 *      <salt>          up to 64 bytes of random data, 8 bytes is
 *                      currently considered more than enough.
 *      <digest>        the hashed password.

hmac.c implementes HMAC as defined in RFC 2104 and includes a unit
test for both hmac_sha1 and hmac_sha1 using a selection of the Known
Answer Tests from RFC 2202.

It is worth noting that to be FIPS compliant the hmac key (password)
should be 10-20 chars.
2004-07-02 00:05:23 +00:00
agc 89aaa1bb64 Move UCB-licensed code from 4-clause to 3-clause licence.
Patches provided by Joel Baker in PR 22365, verified by myself.
2003-08-07 11:13:06 +00:00
itojun f4401cd869 upgrade openssl to 0.9.7b. (AES is now supported)
alter des.h to be friendly with openssl/des.h (you can include both in the
same file)
make libkrb to depend on libdes.  bump major.
massage various portioin of heimdal to be friendly with openssl 0.9.7b.
2003-07-24 14:16:30 +00:00
lukem 59efd8a9dd remove unnecessary rules 2003-07-22 12:34:40 +00:00
itojun 6d415bc4b0 use bounded string op 2003-07-14 11:54:06 +00:00
lha 508f668a25 Don't build a separate kpasswd program, passwd can handle Kerberos
password changing. Fixes last part of bin/14988.
2003-04-06 16:35:37 +00:00
lha 919a5f7ede Document when Kerberos will be used.
fixes part of bin/14988
2003-04-05 18:06:52 +00:00
itojun 5f2d0b666f error handling on strdup failure 2002-11-16 15:59:26 +00:00
itojun 9593086444 use strlcpy 2002-11-16 04:34:13 +00:00
itojun e91a21c27c add DPADD. 2002-10-23 01:25:35 +00:00
provos d15e0fa262 password hashing utility that allows des, md5 or bcrypt passwords to be
created in scripts;  tool originally from downsj@openbsd.org;
approved by perry.
2002-10-01 20:48:58 +00:00
grant be8ae688ae New sentence, new line. 2002-09-30 11:08:56 +00:00
itojun 3be26b82ef use arc4random 2002-05-28 11:19:17 +00:00
itojun c89c003ed2 support bcrypt password. can be chosen by "blowfish" keyword in passwd.conf.
from openbsd
2002-05-24 04:02:47 +00:00
thorpej 9c33b55e7c Split the notion of building Hesiod, Kerberos, S/key, and YP
infrastructure and using that infrastructure in programs.

	* MKHESIOD, MKKERBEROS, MKSKEY, and MKYP control building
	  of the infratsructure (libraries, support programs, etc.)

	* USE_HESIOD, USE_KERBEROS, USE_SKEY, and USE_YP control
	  building of support for using the corresponding API
	  in various libraries/programs that can use it.

As discussed on tech-toolchain.
2002-03-22 18:10:19 +00:00
wiz aded0d2cce Whitespace cleanup. 2001-12-01 16:43:07 +00:00
ad 28a9c7f8da Slight change to previous: rebuild the insecure password db if the expiry
time has changed, not just been set.
2001-08-18 19:42:40 +00:00
ad 1e8e78ed07 Update for pw_mkdb() change: restrict updates to one user's records and/or
the secure database where appropriate.
2001-08-18 19:35:32 +00:00
simonb a378517ea4 80 column police. 2001-03-28 03:17:41 +00:00
cgd a8ec668ddf convert to use getprogname() 2001-02-19 23:03:42 +00:00
cgd c52d4f59e8 __progname not used here, so don't extern it 2001-02-13 00:14:58 +00:00
fvdl 176686cd4f In krb5_end, don't try to free the krb5 context if it's not yet
been initialized. Fixes coredump when passwd is called as 'yppasswd'.
2000-11-18 19:29:20 +00:00
simonb 9b22175a26 Remove INSTALLFLAGS=-fschg, as per change to usr.bin/ssh/ssh/Makefile. 2000-10-18 00:24:18 +00:00
ad ec40993b05 Back out previous. 2000-10-09 11:14:59 +00:00
ad 6be1fe9169 Fix warning message. 2000-10-09 11:14:17 +00:00
ad 0db0171979 Back out previous. 2000-10-09 11:14:16 +00:00
ad 7f700a8518 Document new behaviour WRT password expiry, and Xr login.conf. 2000-09-21 11:13:06 +00:00
ad f03c136f00 When not running as the super-user: if the user's password has expired or is
due to expire within _PASSWORD_WARNDAYS (or the setting from login.conf),
force the user to set a different password than the one they are currently
using. (Yes, it's actually worthwhile doing this.)
2000-09-21 11:11:49 +00:00
ad 5ab843adef - sizeof(), not constants.
- snprintf() will always terminate the output string.
- Spacing.
2000-09-18 16:00:41 +00:00
assar 6d7f2da1a1 remove -lvers, it's not used 2000-08-03 22:56:29 +00:00
ad 6b38e4b314 __RCSID(). 2000-08-03 08:25:41 +00:00
assar 549a4d9cdc update build infrastructure for heimdal 0.3a 2000-08-03 04:02:29 +00:00