[Pkg-shadow-devel] Bug#505640: generate hashed passwords to stdout for other tools
Kees Cook
kees at outflux.net
Fri Nov 14 00:43:51 UTC 2008
Package: shadow
Version: 1:4.1.1-5
Severity: normal
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu jaunty ubuntu-patch
There are situations where a non-root user needs to generate an encrypted
password using the current system configuration (i.e. following the
settings in /etc/login.defs). As an example, liboobs passes an encrypted
password to system-tools-backends which then calls "chpasswd -e".
To avoid 3rd party re-implementations of the salt-generation and system
configuration parsing, it would be handy to have a tool part of shadow that
handled this and produced a hashed password on stdout.
If/when Debian switches to SHA512 (from MD5) for the default hash, having
this tool already will simply the job any tools that need an encrypted
password, and allows them to not include any knowledge of what's needed to
get the hash.
As an example, attached is a simplistic patch to chpasswd which disables
the passwd-file-update, and spits out passwords on stdout.
Thanks,
-Kees
--
Kees Cook @outflux.net
-------------- next part --------------
Index: shadow-4.1.1/src/chpasswd.c
===================================================================
--- shadow-4.1.1.orig/src/chpasswd.c 2008-10-29 11:23:27.000000000 -0700
+++ shadow-4.1.1/src/chpasswd.c 2008-10-29 11:25:19.000000000 -0700
@@ -54,6 +54,7 @@
static int eflg = 0;
static int md5flg = 0;
static int sflg = 0;
+static int use_stdout = 0;
static const char *crypt_method = NULL;
static long sha_rounds = 5000;
@@ -83,6 +84,8 @@
" -c, --crypt-method the crypt method (one of %s)\n"
" -e, --encrypted supplied passwords are encrypted\n"
" -h, --help display this help message and exit\n"
+ " -S, --stdout report encrypted passwords to stdout\n"
+ " instead of changing the passwd file\n"
" -m, --md5 encrypt the clear text password using\n"
" the MD5 algorithm\n"
"%s"
@@ -113,6 +116,7 @@
{"encrypted", no_argument, NULL, 'e'},
{"help", no_argument, NULL, 'h'},
{"md5", no_argument, NULL, 'm'},
+ {"stdout", no_argument, NULL, 'S'},
#ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'},
#endif
@@ -121,9 +125,9 @@
while ((c = getopt_long (argc, argv,
#ifdef USE_SHA_CRYPT
- "c:ehms:",
+ "c:ehmSs:",
#else
- "c:ehm",
+ "c:ehmS",
#endif
long_options, &option_index)) != -1) {
switch (c) {
@@ -140,6 +144,9 @@
case 'm':
md5flg = 1;
break;
+ case 'S':
+ use_stdout = 1;
+ break;
#ifdef USE_SHA_CRYPT
case 's':
sflg = 1;
@@ -215,6 +222,7 @@
*/
static void check_perms (void)
{
+ if (use_stdout) return;
#ifdef USE_PAM
int retval = PAM_SUCCESS;
@@ -333,11 +341,13 @@
process_flags (argc, argv);
+ if (!use_stdout) {
check_perms ();
is_shadow_pwd = spw_file_present ();
open_files ();
+ }
/*
* Read each line, separating the user name from the password. The
@@ -398,6 +408,11 @@
crypt_make_salt(crypt_method, arg));
}
+ if (use_stdout) {
+ fprintf (stdout, "%s:%s\n", name, cp);
+ continue;
+ }
+
/*
* Get the password file entry for this user. The user must
* already exist.
@@ -468,6 +483,7 @@
exit (1);
}
+ if (!use_stdout) {
close_files ();
nscd_flush_cache ("passwd");
@@ -475,6 +491,7 @@
#ifdef USE_PAM
pam_end (pamh, PAM_SUCCESS);
#endif /* USE_PAM */
+ }
return (0);
}
Index: shadow-4.1.1/man/chpasswd.8.xml
===================================================================
--- shadow-4.1.1.orig/man/chpasswd.8.xml 2008-10-29 11:22:39.000000000 -0700
+++ shadow-4.1.1/man/chpasswd.8.xml 2008-10-29 11:23:27.000000000 -0700
@@ -79,6 +79,12 @@
</listitem>
</varlistentry>
<varlistentry>
+ <term><option>-S</option>, <option>--stdout</option></term>
+ <listitem>
+ <para>Report encrypted passwords to stdout instead of updating password file.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><option>-h</option>, <option>--help</option></term>
<listitem>
<para>Display help message and exit.</para>
More information about the Pkg-shadow-devel
mailing list