Blame SOURCES/pam-1.2.0-unix-no-fallback.patch

5c721c
diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml
5c721c
--- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback	2015-04-27 16:38:03.000000000 +0200
5c721c
+++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml	2015-05-15 15:54:21.524440864 +0200
5c721c
@@ -284,11 +284,10 @@
5c721c
         <listitem>
5c721c
           <para>
5c721c
             When a user changes their password next,
5c721c
-            encrypt it with the SHA256 algorithm. If the
5c721c
-            SHA256 algorithm is not known to the <citerefentry>
5c721c
+            encrypt it with the SHA256 algorithm. The
5c721c
+            SHA256 algorithm must be supported by the <citerefentry>
5c721c
 	    <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
5c721c
-            </citerefentry> function,
5c721c
-            fall back to MD5.
5c721c
+            </citerefentry> function.
5c721c
           </para>
5c721c
         </listitem>
5c721c
       </varlistentry>
5c721c
@@ -299,11 +298,10 @@
5c721c
         <listitem>
5c721c
           <para>
5c721c
             When a user changes their password next,
5c721c
-            encrypt it with the SHA512 algorithm. If the
5c721c
-            SHA512 algorithm is not known to the <citerefentry>
5c721c
+            encrypt it with the SHA512 algorithm. The
5c721c
+            SHA512 algorithm must be supported by the <citerefentry>
5c721c
 	    <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
5c721c
-            </citerefentry> function,
5c721c
-            fall back to MD5.
5c721c
+            </citerefentry> function.
5c721c
           </para>
5c721c
         </listitem>
5c721c
       </varlistentry>
5c721c
@@ -314,11 +312,10 @@
5c721c
         <listitem>
5c721c
           <para>
5c721c
             When a user changes their password next,
5c721c
-            encrypt it with the blowfish algorithm. If the
5c721c
-            blowfish algorithm is not known to the <citerefentry>
5c721c
+            encrypt it with the blowfish algorithm. The
5c721c
+            blowfish algorithm must be supported by the <citerefentry>
5c721c
 	    <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
5c721c
-            </citerefentry> function,
5c721c
-            fall back to MD5.
5c721c
+            </citerefentry> function.
5c721c
           </para>
5c721c
         </listitem>
5c721c
       </varlistentry>
5c721c
diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c
5c721c
--- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback	2015-05-15 15:54:21.525440887 +0200
5c721c
+++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c	2015-05-15 15:57:23.138613273 +0200
5c721c
@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has
5c721c
 	sp = crypt(password, salt);
5c721c
 #endif
5c721c
 	if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
5c721c
-		/* libxcrypt/libc doesn't know the algorithm, use MD5 */
5c721c
+		/* libxcrypt/libc doesn't know the algorithm, error out */
5c721c
 		pam_syslog(pamh, LOG_ERR,
5c721c
-			   "Algo %s not supported by the crypto backend, "
5c721c
-			   "falling back to MD5\n",
5c721c
+			   "Algo %s not supported by the crypto backend.\n",
5c721c
 			   on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
5c721c
 			   on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
5c721c
 			   on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
5c721c
@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has
5c721c
 #ifdef HAVE_CRYPT_R
5c721c
 		free(cdata);
5c721c
 #endif
5c721c
-		return crypt_md5_wrapper(password);
5c721c
+		return NULL;
5c721c
 	}
5c721c
 	sp = x_strdup(sp);
5c721c
 #ifdef HAVE_CRYPT_R