New pambase with optional support for SHA512-hashed passwords (enabled by default). This will deprecated sys-auth/pam_sha512.

(Portage version: 2.2_rc5/cvs/Linux 2.6.26-gentoo x86_64)

3 files changed, 125 insertions, 1 deletions

diff --git a/sys-auth/pambase/ChangeLog b/sys-auth/pambase/ChangeLog
index 2bca7844e495..6864cd9b6a25 100644
--- a/sys-auth/pambase/ChangeLog
+++ b/sys-auth/pambase/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-auth/pambase
 # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/pambase/ChangeLog,v 1.47 2008/07/31 10:41:42 caster Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/pambase/ChangeLog,v 1.48 2008/08/01 17:23:18 flameeyes Exp $
+
+*pambase-20080801 (01 Aug 2008)
+
+  01 Aug 2008; Diego Pettenò <flameeyes@gentoo.org> metadata.xml,
+  +pambase-20080801.ebuild:
+  New pambase with optional support for SHA512-hashed passwords (enabled by
+  default). This will deprecated sys-auth/pam_sha512.
 
   31 Jul 2008; Vlastimil Babka <caster@gentoo.org> ChangeLog:
   Fix distfile size and hashes in Manifest, bug #233462.
diff --git a/sys-auth/pambase/metadata.xml b/sys-auth/pambase/metadata.xml
index ace595126384..fbef7d84ac86 100644
--- a/sys-auth/pambase/metadata.xml
+++ b/sys-auth/pambase/metadata.xml
@@ -47,5 +47,19 @@
       ~/.ssh/id_dsa or ~/.ssh/identity), and will spawn an ssh-agent
       instance to cache the open key.
     </flag>
+    <flag name="sha512">
+      Switch Linux-PAM's pam_unix module to use sha512 for passwords
+      hashes rather than MD5. This option requires
+      <pkg>&gt;=sys-libs/pam-1.0.1</pkg> built against
+      <pkg>&gt;=sys-libs/glibc-2.7</pkg>, if it's built against an
+      earlier version, it will silently be ignored, and MD5 hashes
+      will be used. All the passwords changed after this USE flag is
+      enabled will be saved to the shadow file hashed using SHA512
+      function. The password previously saved will be left
+      untouched. Please note that while SHA512-hashed passwords will
+      still be recognised if the USE flag is removed, the shadow file
+      will not be compatible with systems using an earlier glibc
+      version.
+    </flag>
   </use>
 </pkgmetadata>
diff --git a/sys-auth/pambase/pambase-20080801.ebuild b/sys-auth/pambase/pambase-20080801.ebuild
new file mode 100644
index 000000000000..8fbf708ff7e6
--- /dev/null
+++ b/sys-auth/pambase/pambase-20080801.ebuild
@@ -0,0 +1,103 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/pambase/pambase-20080801.ebuild,v 1.1 2008/08/01 17:23:18 flameeyes Exp $
+
+EAPI=1
+
+inherit eutils
+
+DESCRIPTION="PAM base configuration files"
+HOMEPAGE="http://www.gentoo.org/proj/en/base/pam/"
+SRC_URI="http://www.flameeyes.eu/gentoo-distfiles/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~hppa ~ppc ~sparc ~x86 ~x86-fbsd"
+IUSE="debug cracklib passwdqc consolekit gnome-keyring selinux mktemp ssh +sha512"
+RESTRICT="binchecks"
+
+RDEPEND="
+	|| (
+		>=sys-libs/pam-0.99.9.0-r1
+		( sys-auth/openpam
+		  || ( sys-freebsd/freebsd-pam-modules sys-netbsd/netbsd-pam-modules )
+		)
+	)
+	cracklib? ( >=sys-libs/pam-0.99 )
+	consolekit? ( sys-auth/consolekit )
+	gnome-keyring? ( >=gnome-base/gnome-keyring-2.20 )
+	selinux? ( >=sys-libs/pam-0.99 )
+	passwdqc? ( >=sys-auth/pam_passwdqc-1.0.4 )
+	mktemp? ( sys-auth/pam_mktemp )
+	ssh? ( sys-auth/pam_ssh )
+	sha512? ( >=sys-libs/pam-1.0.1 )
+	!<sys-freebsd/freebsd-pam-modules-6.2-r1
+	!<sys-libs/pam-0.99.9.0-r1"
+DEPEND=""
+
+pkg_setup() {
+	if use cracklib && ! built_with_use sys-libs/pam cracklib; then
+		eerror "To enable cracklib support in the main PAM configuration"
+		eerror "you need to enable cracklib USE flag on sys-libs/pam"
+		eerror "first."
+		die "Missing pam_cracklib"
+	fi
+
+	if use selinux && ! built_with_use sys-libs/pam selinux; then
+		eerror "To enable selinux support in the main PAM configuration"
+		eerror "you need to enable selinux USE flag on sys-libs/pam"
+		eerror "first."
+		die "Missing pam_selinux"
+	fi
+
+	if use consolekit && ! built_with_use sys-auth/consolekit pam; then
+		eerror "To enable ConsoleKit support in the main PAM configuration"
+		eerror "you need to enable pam USE flag on sys-auth/consolekit"
+		eerror "first."
+		die "Missing pam_ck_connector"
+	fi
+
+	if use gnome-keyring && ! built_with_use gnome-base/gnome-keyring pam; then
+		eerror "To enable GNOME Keyring support in the main PAM configuration"
+		eerror "you need to enable pam USE flag on gnome-base/gnome-keyring"
+		eerror "first."
+		die "Missing pam_gnome_keyring"
+	fi
+}
+
+src_compile() {
+	has_version sys-libs/pam && implementation="linux-pam"
+	has_version sys-auth/openpam && implementation="openpam"
+
+	emake \
+		GIT=true \
+		DEBUG=$(use debug && echo yes || echo no) \
+		CRACKLIB=$(use cracklib && echo yes || echo no) \
+		PASSWDQC=$(use passwdqc && echo yes || echo no) \
+		CONSOLEKIT=$(use consolekit && echo yes || echo no) \
+		GNOME_KEYRING=$(use gnome-keyring && echo yes || echo no) \
+		SELINUX=$(use selinux && echo yes || echo no) \
+		MKTEMP=$(use mktemp && echo yes || echo no) \
+		PAM_SSH=$(use ssh && echo yes || echo no) \
+		SHA512=$(use sha512 && echo yes || echo no) \
+		IMPLEMENTATION=${implementation} \
+		|| die "emake failed"
+}
+
+src_install() {
+	emake GIT=true DESTDIR="${D}" install || die "emake install failed"
+}
+
+pkg_postinst() {
+	if use sha512; then
+		elog "Starting from version 20080801, pambase optionally enables"
+		elog "SHA512-hashed passwords. For this to work, you need sys-libs/pam-1.0.1"
+		elog "built against sys-libs/glibc-2.7 or later."
+		elog "If you don't have support for this, it will automatically fallback"
+		elog "to MD5-hashed passwords, just like before."
+		elog
+		elog "Please note that the change only affects the newly-changed passwords"
+		elog "and that SHA512-hashed passwords will not work on earlier versions"
+		elog "of glibc or Linux-PAM."
+	fi
+}
\ No newline at end of file