You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
212 lines
6.6 KiB
212 lines
6.6 KiB
1 month ago
|
diff -up Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml
|
||
|
--- Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml.pam-access-resolve-ip 2020-11-25 17:57:02.000000000 +0100
|
||
|
+++ Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml 2024-11-21 10:04:58.553127026 +0100
|
||
|
@@ -226,6 +226,14 @@
|
||
|
item and the line will be most probably ignored. For this reason, it is not
|
||
|
recommended to put spaces around the ':' characters.
|
||
|
</para>
|
||
|
+ <para>
|
||
|
+ An IPv6 link local host address must contain the interface
|
||
|
+ identifier. IPv6 link local network/netmask is not supported.
|
||
|
+ </para>
|
||
|
+ <para>
|
||
|
+ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
|
||
|
+ confusion with device names or PAM service names.
|
||
|
+ </para>
|
||
|
</refsect1>
|
||
|
|
||
|
<refsect1 id="access.conf-see_also">
|
||
|
diff -up Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml
|
||
|
--- Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml.pam-access-resolve-ip 2020-11-25 17:57:02.000000000 +0100
|
||
|
+++ Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml 2024-11-21 10:04:58.553127026 +0100
|
||
|
@@ -25,11 +25,14 @@
|
||
|
<arg choice="opt">
|
||
|
debug
|
||
|
</arg>
|
||
|
+ <arg choice="opt" rep="norepeat">
|
||
|
+ noaudit
|
||
|
+ </arg>
|
||
|
<arg choice="opt">
|
||
|
nodefgroup
|
||
|
</arg>
|
||
|
- <arg choice="opt">
|
||
|
- noaudit
|
||
|
+ <arg choice="opt" rep="norepeat">
|
||
|
+ nodns
|
||
|
</arg>
|
||
|
<arg choice="opt">
|
||
|
accessfile=<replaceable>file</replaceable>
|
||
|
@@ -114,7 +117,46 @@
|
||
|
|
||
|
<varlistentry>
|
||
|
<term>
|
||
|
- <option>fieldsep=<replaceable>separators</replaceable></option>
|
||
|
+ nodefgroup
|
||
|
+ </term>
|
||
|
+ <listitem>
|
||
|
+ <para>
|
||
|
+ User tokens which are not enclosed in parentheses will not be
|
||
|
+ matched against the group database. The backwards compatible default is
|
||
|
+ to try the group database match even for tokens not enclosed
|
||
|
+ in parentheses.
|
||
|
+ </para>
|
||
|
+ </listitem>
|
||
|
+ </varlistentry>
|
||
|
+
|
||
|
+ <varlistentry>
|
||
|
+ <term>
|
||
|
+ nodns
|
||
|
+ </term>
|
||
|
+ <listitem>
|
||
|
+ <para>
|
||
|
+ Do not try to resolve tokens as hostnames, only IPv4 and IPv6
|
||
|
+ addresses will be resolved. Which means to allow login from a
|
||
|
+ remote host, the IP addresses need to be specified in <filename>access.conf</filename>.
|
||
|
+ </para>
|
||
|
+ </listitem>
|
||
|
+ </varlistentry>
|
||
|
+
|
||
|
+ <varlistentry>
|
||
|
+ <term>
|
||
|
+ quiet_log
|
||
|
+ </term>
|
||
|
+ <listitem>
|
||
|
+ <para>
|
||
|
+ Do not log denials with
|
||
|
+ <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||
|
+ </para>
|
||
|
+ </listitem>
|
||
|
+ </varlistentry>
|
||
|
+
|
||
|
+ <varlistentry>
|
||
|
+ <term>
|
||
|
+ fieldsep=separators
|
||
|
</term>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
@@ -152,20 +194,6 @@
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</varlistentry>
|
||
|
-
|
||
|
- <varlistentry>
|
||
|
- <term>
|
||
|
- <option>nodefgroup</option>
|
||
|
- </term>
|
||
|
- <listitem>
|
||
|
- <para>
|
||
|
- User tokens which are not enclosed in parentheses will not be
|
||
|
- matched against the group database. The backwards compatible default is
|
||
|
- to try the group database match even for tokens not enclosed
|
||
|
- in parentheses.
|
||
|
- </para>
|
||
|
- </listitem>
|
||
|
- </varlistentry>
|
||
|
|
||
|
</variablelist>
|
||
|
</refsect1>
|
||
|
diff -up Linux-PAM-1.5.1/modules/pam_access/pam_access.c.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/pam_access.c
|
||
|
--- Linux-PAM-1.5.1/modules/pam_access/pam_access.c.pam-access-resolve-ip 2024-11-21 10:04:58.547127010 +0100
|
||
|
+++ Linux-PAM-1.5.1/modules/pam_access/pam_access.c 2024-11-21 10:04:58.553127026 +0100
|
||
|
@@ -92,6 +92,7 @@ struct login_info {
|
||
|
int debug; /* Print debugging messages. */
|
||
|
int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */
|
||
|
int noaudit; /* Do not audit denials */
|
||
|
+ int nodns; /* Do not try to resolve tokens as hostnames */
|
||
|
const char *fs; /* field separator */
|
||
|
const char *sep; /* list-element separator */
|
||
|
int from_remote_host; /* If PAM_RHOST was used for from */
|
||
|
@@ -143,6 +144,8 @@ parse_args(pam_handle_t *pamh, struct lo
|
||
|
loginfo->only_new_group_syntax = YES;
|
||
|
} else if (strcmp (argv[i], "noaudit") == 0) {
|
||
|
loginfo->noaudit = YES;
|
||
|
+ } else if (strcmp (argv[i], "nodns") == 0) {
|
||
|
+ loginfo->nodns = YES;
|
||
|
} else {
|
||
|
pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
|
||
|
}
|
||
|
@@ -700,6 +703,39 @@ string_match (pam_handle_t *pamh, const
|
||
|
}
|
||
|
|
||
|
|
||
|
+static int
|
||
|
+is_device (pam_handle_t *pamh, const char *tok)
|
||
|
+{
|
||
|
+ struct stat st;
|
||
|
+ const char *dev = "/dev/";
|
||
|
+ char *devname;
|
||
|
+
|
||
|
+ devname = malloc (strlen(dev) + strlen (tok) + 1);
|
||
|
+ if (devname == NULL) {
|
||
|
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
|
||
|
+ /*
|
||
|
+ * We should return an error and abort, but pam_access has no good
|
||
|
+ * error handling.
|
||
|
+ */
|
||
|
+ return NO;
|
||
|
+ }
|
||
|
+
|
||
|
+ char *cp = stpcpy (devname, dev);
|
||
|
+ strcpy (cp, tok);
|
||
|
+
|
||
|
+ if (lstat(devname, &st) != 0)
|
||
|
+ {
|
||
|
+ free (devname);
|
||
|
+ return NO;
|
||
|
+ }
|
||
|
+ free (devname);
|
||
|
+
|
||
|
+ if (S_ISCHR(st.st_mode))
|
||
|
+ return YES;
|
||
|
+
|
||
|
+ return NO;
|
||
|
+}
|
||
|
+
|
||
|
/* network_netmask_match - match a string against one token
|
||
|
* where string is a hostname or ip (v4,v6) address and tok
|
||
|
* represents either a hostname, a single ip (v4,v6) address
|
||
|
@@ -761,10 +797,42 @@ network_netmask_match (pam_handle_t *pam
|
||
|
return NO;
|
||
|
}
|
||
|
}
|
||
|
+ else if (isipaddr(tok, NULL, NULL) == YES)
|
||
|
+ {
|
||
|
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
||
|
+ {
|
||
|
+ if (item->debug)
|
||
|
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
|
||
|
+
|
||
|
+ return NO;
|
||
|
+ }
|
||
|
+ netmask_ptr = NULL;
|
||
|
+ }
|
||
|
+ else if (item->nodns)
|
||
|
+ {
|
||
|
+ /* Only hostnames are left, which we would need to resolve via DNS */
|
||
|
+ return NO;
|
||
|
+ }
|
||
|
else
|
||
|
{
|
||
|
+ /* Bail out on X11 Display entries and ttys. */
|
||
|
+ if (tok[0] == ':')
|
||
|
+ {
|
||
|
+ if (item->debug)
|
||
|
+ pam_syslog (pamh, LOG_DEBUG,
|
||
|
+ "network_netmask_match: tok=%s is X11 display", tok);
|
||
|
+ return NO;
|
||
|
+ }
|
||
|
+ if (is_device (pamh, tok))
|
||
|
+ {
|
||
|
+ if (item->debug)
|
||
|
+ pam_syslog (pamh, LOG_DEBUG,
|
||
|
+ "network_netmask_match: tok=%s is a TTY", tok);
|
||
|
+ return NO;
|
||
|
+ }
|
||
|
+
|
||
|
/*
|
||
|
- * It is either an IP address or a hostname.
|
||
|
+ * It is most likely a hostname.
|
||
|
* Let getaddrinfo sort everything out
|
||
|
*/
|
||
|
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|