[tac_plus] sha512 and new specfile

Fri Feb 13 23:57:33 UTC 2015

Wed, Feb 11, 2015 at 10:04:34AM +0100, Sten Spans:
> 
> We've been using the tac_plus/tacacs+ package for a while now,
> and would like to contribute back some small improvements that
> we've been using.
> 
> - switch tac_pwd to sha512 hashes by default
> - an updated specfile with a few cleanups

thanks.  slight adjustment to the patch included.  thanks for being rather
thorough.

Index: CHANGES
===================================================================

--- CHANGES	(revision 3696)
+++ CHANGES	(working copy)
@@ -484,3 +484,5 @@
 
 F4.0.4.29
 	- spec file update - from Sten Spans
+	- add SHA512 support to tac_pwd - from Sten Spans
+	  XXX needs a configure test to check for sha512 support.
Index: tac_pwd.8
===================================================================
--- tac_pwd.8	(revision 3686)
+++ tac_pwd.8	(working copy)
@@ -1,25 +1,28 @@
 .\"
 .hys 50
-.TH "tac_pwd" "8" "23 March 2012"
+.TH "tac_pwd" "8" "13 February 2014"
 .SH NAME
-tac_pwd \- generate DES or MD5 encryption of a password
+tac_pwd \- generate SHA512, MD5 or DES encryption of a password
 .\"
 .SH SYNOPSIS
 .B tac_pwd
-[\fB\-ehm\fP]
+[\fB\-dehm\fP]
 [\c
 salt]
 .\"
 .SH DESCRIPTION
 .B tac_pwd 
-prompts for a clear-text password and produces a DES encryption of that
-password on stdout which may be used in lieu of the clear-text representation
-in the
+prompts for a clear-text password and produces a hash of that password on
+stdout which may be used in lieu of the clear-text representation in the
 .BR tac_plus.conf (5).
 .PP
-The DES salt may be provided as a command-line argument.
+The salt may be provided as a command-line argument.
 .PP
 .SH COMMAND-LINE OPTIONS
+ .TP
+.B \-d
+Generate an DES hash, instead of SHA512.
+This is insecure, use with care.
 .TP
 .B \-e
 Do not echo the plain-text password to the terminal.
@@ -30,7 +33,7 @@
 .\"
 .TP
 .B \-m
-Generate an MD5 encryption, instead of DES.
+Generate an MD5 encryption, instead of SHA512.
 This only works if crypt() on your host supports MD5.
 .\"
 .SH "SEE ALSO"
Index: tac_pwd.c
===================================================================
--- tac_pwd.c	(revision 3686)
+++ tac_pwd.c	(working copy)
@@ -54,6 +54,7 @@
 
 #define SALTBUFLEN	24
 #define HASHBUFLEN	32
+#define	SHA512BUFLEN	128
 
 void	usage(void);
 
@@ -133,6 +134,21 @@
     return hash;
 }
 
+char *
+do_sha512(char *passwd, char *salt)
+{
+    static char hash[SHA512BUFLEN];
+
+    if (salt == NULL)
+	salt = get_salt();
+    if (strlen(salt) > 2)
+	salt[2] = '\0';
+    snprintf(hash, SHA512BUFLEN, "$6$%s$", salt);
+    strncpy(hash, crypt(passwd, hash), SHA512BUFLEN);
+
+    return hash;
+}
+
 int
 main(int argc, char **argv)
 {
@@ -145,11 +161,16 @@
     char		*prompt = "Password to be encrypted: ";
     int			opt_e = 0,			/* do not echo passwd*/
 			opt_m = 0,			/* create md5 string */
+			opt_s = 1,			/* create sha512 str */
 			n;
     struct termios	t;
 
-    while ((n = getopt(argc, argv, "ehm")) != EOF) {
+    while ((n = getopt(argc, argv, "dehm")) != EOF) {
 	switch (n) {
+	case 'd':
+	    opt_m = 0;
+	    opt_s = 0;
+	    break;
 	case 'e':
 	    opt_e = 1;
 	    break;
@@ -159,6 +180,7 @@
 	    break;
 	case 'm':
 	    opt_m = 1;
+	    opt_s = 0;
 	    break;
 	default:
 	    usage();
@@ -191,6 +213,8 @@
 
     if (opt_m) {
 	result = do_md5(pass, salt);
+    } else if (opt_s) {
+	result = do_sha512(pass, salt);
     } else {
 	result = do_des(pass, salt);
     }

