Compare commits
No commits in common. 'c9' and 'c9-beta' have entirely different histories.
@ -1,211 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml
|
|
||||||
--- Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml.pam-access-resolve-ip 2020-11-25 17:57:02.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml 2024-11-21 10:04:58.553127026 +0100
|
|
||||||
@@ -226,6 +226,14 @@
|
|
||||||
item and the line will be most probably ignored. For this reason, it is not
|
|
||||||
recommended to put spaces around the ':' characters.
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ An IPv6 link local host address must contain the interface
|
|
||||||
+ identifier. IPv6 link local network/netmask is not supported.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
|
|
||||||
+ confusion with device names or PAM service names.
|
|
||||||
+ </para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1 id="access.conf-see_also">
|
|
||||||
diff -up Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml
|
|
||||||
--- Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml.pam-access-resolve-ip 2020-11-25 17:57:02.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml 2024-11-21 10:04:58.553127026 +0100
|
|
||||||
@@ -25,11 +25,14 @@
|
|
||||||
<arg choice="opt">
|
|
||||||
debug
|
|
||||||
</arg>
|
|
||||||
+ <arg choice="opt" rep="norepeat">
|
|
||||||
+ noaudit
|
|
||||||
+ </arg>
|
|
||||||
<arg choice="opt">
|
|
||||||
nodefgroup
|
|
||||||
</arg>
|
|
||||||
- <arg choice="opt">
|
|
||||||
- noaudit
|
|
||||||
+ <arg choice="opt" rep="norepeat">
|
|
||||||
+ nodns
|
|
||||||
</arg>
|
|
||||||
<arg choice="opt">
|
|
||||||
accessfile=<replaceable>file</replaceable>
|
|
||||||
@@ -114,7 +117,46 @@
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term>
|
|
||||||
- <option>fieldsep=<replaceable>separators</replaceable></option>
|
|
||||||
+ nodefgroup
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ User tokens which are not enclosed in parentheses will not be
|
|
||||||
+ matched against the group database. The backwards compatible default is
|
|
||||||
+ to try the group database match even for tokens not enclosed
|
|
||||||
+ in parentheses.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ nodns
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Do not try to resolve tokens as hostnames, only IPv4 and IPv6
|
|
||||||
+ addresses will be resolved. Which means to allow login from a
|
|
||||||
+ remote host, the IP addresses need to be specified in <filename>access.conf</filename>.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ quiet_log
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Do not log denials with
|
|
||||||
+ <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ fieldsep=separators
|
|
||||||
</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
@@ -152,20 +194,6 @@
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
-
|
|
||||||
- <varlistentry>
|
|
||||||
- <term>
|
|
||||||
- <option>nodefgroup</option>
|
|
||||||
- </term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- User tokens which are not enclosed in parentheses will not be
|
|
||||||
- matched against the group database. The backwards compatible default is
|
|
||||||
- to try the group database match even for tokens not enclosed
|
|
||||||
- in parentheses.
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
|
|
||||||
</variablelist>
|
|
||||||
</refsect1>
|
|
||||||
diff -up Linux-PAM-1.5.1/modules/pam_access/pam_access.c.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/pam_access.c
|
|
||||||
--- Linux-PAM-1.5.1/modules/pam_access/pam_access.c.pam-access-resolve-ip 2024-11-21 10:04:58.547127010 +0100
|
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_access/pam_access.c 2024-11-21 10:04:58.553127026 +0100
|
|
||||||
@@ -92,6 +92,7 @@ struct login_info {
|
|
||||||
int debug; /* Print debugging messages. */
|
|
||||||
int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */
|
|
||||||
int noaudit; /* Do not audit denials */
|
|
||||||
+ int nodns; /* Do not try to resolve tokens as hostnames */
|
|
||||||
const char *fs; /* field separator */
|
|
||||||
const char *sep; /* list-element separator */
|
|
||||||
int from_remote_host; /* If PAM_RHOST was used for from */
|
|
||||||
@@ -143,6 +144,8 @@ parse_args(pam_handle_t *pamh, struct lo
|
|
||||||
loginfo->only_new_group_syntax = YES;
|
|
||||||
} else if (strcmp (argv[i], "noaudit") == 0) {
|
|
||||||
loginfo->noaudit = YES;
|
|
||||||
+ } else if (strcmp (argv[i], "nodns") == 0) {
|
|
||||||
+ loginfo->nodns = YES;
|
|
||||||
} else {
|
|
||||||
pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
|
|
||||||
}
|
|
||||||
@@ -700,6 +703,39 @@ string_match (pam_handle_t *pamh, const
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+is_device (pam_handle_t *pamh, const char *tok)
|
|
||||||
+{
|
|
||||||
+ struct stat st;
|
|
||||||
+ const char *dev = "/dev/";
|
|
||||||
+ char *devname;
|
|
||||||
+
|
|
||||||
+ devname = malloc (strlen(dev) + strlen (tok) + 1);
|
|
||||||
+ if (devname == NULL) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
|
|
||||||
+ /*
|
|
||||||
+ * We should return an error and abort, but pam_access has no good
|
|
||||||
+ * error handling.
|
|
||||||
+ */
|
|
||||||
+ return NO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ char *cp = stpcpy (devname, dev);
|
|
||||||
+ strcpy (cp, tok);
|
|
||||||
+
|
|
||||||
+ if (lstat(devname, &st) != 0)
|
|
||||||
+ {
|
|
||||||
+ free (devname);
|
|
||||||
+ return NO;
|
|
||||||
+ }
|
|
||||||
+ free (devname);
|
|
||||||
+
|
|
||||||
+ if (S_ISCHR(st.st_mode))
|
|
||||||
+ return YES;
|
|
||||||
+
|
|
||||||
+ return NO;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* network_netmask_match - match a string against one token
|
|
||||||
* where string is a hostname or ip (v4,v6) address and tok
|
|
||||||
* represents either a hostname, a single ip (v4,v6) address
|
|
||||||
@@ -761,10 +797,42 @@ network_netmask_match (pam_handle_t *pam
|
|
||||||
return NO;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ else if (isipaddr(tok, NULL, NULL) == YES)
|
|
||||||
+ {
|
|
||||||
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
|
||||||
+ {
|
|
||||||
+ if (item->debug)
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
|
|
||||||
+
|
|
||||||
+ return NO;
|
|
||||||
+ }
|
|
||||||
+ netmask_ptr = NULL;
|
|
||||||
+ }
|
|
||||||
+ else if (item->nodns)
|
|
||||||
+ {
|
|
||||||
+ /* Only hostnames are left, which we would need to resolve via DNS */
|
|
||||||
+ return NO;
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
{
|
|
||||||
+ /* Bail out on X11 Display entries and ttys. */
|
|
||||||
+ if (tok[0] == ':')
|
|
||||||
+ {
|
|
||||||
+ if (item->debug)
|
|
||||||
+ pam_syslog (pamh, LOG_DEBUG,
|
|
||||||
+ "network_netmask_match: tok=%s is X11 display", tok);
|
|
||||||
+ return NO;
|
|
||||||
+ }
|
|
||||||
+ if (is_device (pamh, tok))
|
|
||||||
+ {
|
|
||||||
+ if (item->debug)
|
|
||||||
+ pam_syslog (pamh, LOG_DEBUG,
|
|
||||||
+ "network_netmask_match: tok=%s is a TTY", tok);
|
|
||||||
+ return NO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
- * It is either an IP address or a hostname.
|
|
||||||
+ * It is most likely a hostname.
|
|
||||||
* Let getaddrinfo sort everything out
|
|
||||||
*/
|
|
||||||
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
|
@ -1,114 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.5.1/modules/pam_unix/passverify.c.fail1 Linux-PAM-1.5.1/modules/pam_unix/passverify.c
|
|
||||||
--- Linux-PAM-1.5.1/modules/pam_unix/passverify.c.fail1 2024-11-04 11:42:51.962791265 +0100
|
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_unix/passverify.c 2024-11-04 11:45:18.246218579 +0100
|
|
||||||
@@ -239,17 +239,21 @@ PAMH_ARG_DECL(int get_account_info,
|
|
||||||
return PAM_UNIX_RUN_HELPER;
|
|
||||||
#endif
|
|
||||||
} else if (is_pwd_shadowed(*pwd)) {
|
|
||||||
+#ifdef HELPER_COMPILE
|
|
||||||
/*
|
|
||||||
- * ...and shadow password file entry for this user,
|
|
||||||
+ * shadow password file entry for this user,
|
|
||||||
* if shadowing is enabled
|
|
||||||
*/
|
|
||||||
-#ifndef HELPER_COMPILE
|
|
||||||
- if (geteuid() || SELINUX_ENABLED)
|
|
||||||
- return PAM_UNIX_RUN_HELPER;
|
|
||||||
-#endif
|
|
||||||
- *spwdent = pam_modutil_getspnam(pamh, name);
|
|
||||||
+ *spwdent = getspnam(name);
|
|
||||||
if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
|
|
||||||
return PAM_AUTHINFO_UNAVAIL;
|
|
||||||
+#else
|
|
||||||
+ /*
|
|
||||||
+ * The helper has to be invoked to deal with
|
|
||||||
+ * the shadow password file entry.
|
|
||||||
+ */
|
|
||||||
+ return PAM_UNIX_RUN_HELPER;
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return PAM_USER_UNKNOWN;
|
|
||||||
|
|
||||||
|
|
||||||
From 8d0c575336ad301cd14e16ad2fdec6fe621764b8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergei Trofimovich <slyich@gmail.com>
|
|
||||||
Date: Thu, 28 Mar 2024 21:58:35 +0000
|
|
||||||
Subject: [PATCH] pam_unix: allow empty passwords with non-empty hashes
|
|
||||||
|
|
||||||
Before the change pam_unix has different behaviours for a user with
|
|
||||||
empty password for these two `/etc/shadow` entries:
|
|
||||||
|
|
||||||
nulloktest:$6$Yy4ty2jJ$bsVQWo8qlXC6UHq1/qTC3UR60ZJKmKApJ3Wj7DreAy8FxlVKtlDnplFQ7jMLVlDqordE7e4t49GvTb.aI59TP0:1::::::
|
|
||||||
nulloktest::1::::::
|
|
||||||
|
|
||||||
The entry with a hash was rejected and the entry without was accepted.
|
|
||||||
|
|
||||||
The rejection happened because 9e74e90147c "pam_unix: avoid determining
|
|
||||||
if user exists" introduced the following rejection check (slightly
|
|
||||||
simplified):
|
|
||||||
|
|
||||||
...
|
|
||||||
} else if (p[0] == '\0' && nullok) {
|
|
||||||
if (hash[0] != '\0') {
|
|
||||||
retval = PAM_AUTH_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
We should not reject the user with a hash assuming it's non-empty.
|
|
||||||
The change does that by pushing empty password check into
|
|
||||||
`verify_pwd_hash()`.
|
|
||||||
|
|
||||||
`NixOS` generates such hashed entries for empty passwords as if they
|
|
||||||
were non-empty using the following perl code:
|
|
||||||
|
|
||||||
sub hashPassword {
|
|
||||||
my ($password) = @_;
|
|
||||||
my $salt = "";
|
|
||||||
my @chars = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
|
|
||||||
$salt .= $chars[rand 64] for (1..8);
|
|
||||||
return crypt($password, '$6$' . $salt . '$');
|
|
||||||
}
|
|
||||||
|
|
||||||
Resolves: https://github.com/linux-pam/linux-pam/issues/758
|
|
||||||
Fixes: 9e74e90147c "pam_unix: avoid determining if user exists"
|
|
||||||
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
|
|
||||||
---
|
|
||||||
modules/pam_unix/passverify.c | 14 ++++++--------
|
|
||||||
1 file changed, 6 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
||||||
index 30045333..1c83f1aa 100644
|
|
||||||
--- a/modules/pam_unix/passverify.c
|
|
||||||
+++ b/modules/pam_unix/passverify.c
|
|
||||||
@@ -76,9 +76,13 @@ PAMH_ARG_DECL(int verify_pwd_hash,
|
|
||||||
|
|
||||||
strip_hpux_aging(hash);
|
|
||||||
hash_len = strlen(hash);
|
|
||||||
- if (!hash_len) {
|
|
||||||
+
|
|
||||||
+ if (p && p[0] == '\0' && !nullok) {
|
|
||||||
+ /* The passed password is empty */
|
|
||||||
+ retval = PAM_AUTH_ERR;
|
|
||||||
+ } else if (!hash_len) {
|
|
||||||
/* the stored password is NULL */
|
|
||||||
- if (nullok) { /* this means we've succeeded */
|
|
||||||
+ if (p && p[0] == '\0' && nullok) { /* this means we've succeeded */
|
|
||||||
D(("user has empty password - access granted"));
|
|
||||||
retval = PAM_SUCCESS;
|
|
||||||
} else {
|
|
||||||
@@ -1109,12 +1113,6 @@ helper_verify_password(const char *name, const char *p, int nullok)
|
|
||||||
if (pwd == NULL || hash == NULL) {
|
|
||||||
helper_log_err(LOG_NOTICE, "check pass; user unknown");
|
|
||||||
retval = PAM_USER_UNKNOWN;
|
|
||||||
- } else if (p[0] == '\0' && nullok) {
|
|
||||||
- if (hash[0] == '\0') {
|
|
||||||
- retval = PAM_SUCCESS;
|
|
||||||
- } else {
|
|
||||||
- retval = PAM_AUTH_ERR;
|
|
||||||
- }
|
|
||||||
} else {
|
|
||||||
retval = verify_pwd_hash(p, hash, nullok);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.47.0
|
|
||||||
|
|
Loading…
Reference in new issue