From: "Dmitry V. Levin" <ldv@altlinux.org> To: kbd@lists.altlinux.org Subject: [kbd] [PATCH 1/3] vlock: implement PAM account and password management Date: Mon, 25 Nov 2013 01:48:12 +0400 Message-ID: <20131124214808.GA20405@altlinux.org> (raw) There seems to be a tradition for lockers to implement PAM account and password management (account validation, changing expired passwords, refreshing credentials) like login programs do. Note that vlock may or may not need extra credentials to do account and password management depending on the authentication scheme in use. For example, in case of the tcb password shadowing scheme implemented by pam_tcb, to authenticate the user, vlock should be installed as a SGID-chkpwd executable to access tcb_chkpwd helper (which in turn is usually installed as a more privileged SGID-shadow executable). To perform account and password management, vlock should be installed as a SGID-shadow executable itself (like passwd utility with the tcb password shadowing scheme). In case of the traditional password shadowing scheme implemented by pam_unix, vlock needs no extra privileges to authenticate the user (because of no restrictions to access unix_chkpwd helper), but should be installed as a SUID-root executable to perform account and password management (like passwd utility with the traditional password shadowing scheme). Fixes RH#913311. --- src/vlock/auth.c | 38 +++++++++++++++++++++++++++++++++++++- src/vlock/vlock.pamd | 2 ++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/src/vlock/auth.c b/src/vlock/auth.c index 71c8f15..cac877c 100644 --- a/src/vlock/auth.c +++ b/src/vlock/auth.c @@ -4,7 +4,7 @@ PAM authentication routine for vlock, the VT locking program for linux. Copyright (C) 1994-1998 Michael K. Johnson <johnsonm@redhat.com> - Copyright (C) 2002, 2005 Dmitry V. Levin <ldv@altlinux.org> + Copyright (C) 2002, 2005, 2013 Dmitry V. Levin <ldv@altlinux.org> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -36,6 +36,25 @@ /* Unrecognized PAM error timeout. */ #define ERROR_TIMEOUT 10 +static int +do_account_password_management (pam_handle_t *pamh) +{ + int rc; + + /* Whether the authenticated user is allowed to log in? */ + rc = pam_acct_mgmt (pamh, 0); + + /* Do we need to prompt the user for a new password? */ + if (rc == PAM_NEW_AUTHTOK_REQD) + rc = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + + /* Extend the lifetime of the existing credentials. */ + if (rc == PAM_SUCCESS) + rc = pam_setcred (pamh, PAM_REFRESH_CRED); + + return rc; +} + int get_password (pam_handle_t * pamh, const char *username, const char *tty) { @@ -84,6 +103,23 @@ get_password (pam_handle_t * pamh, const char *username, const char *tty) switch (rc) { case PAM_SUCCESS: + rc = do_account_password_management (pamh); + + if (rc != PAM_SUCCESS) + { + /* + * The user was authenticated but + * either account or password management + * returned an error. + */ + printf ("%s.\n\n\n", + pam_strerror (pamh, rc)); + fflush (stdout); + pam_end (pamh, rc); + pamh = 0; + break; + } + pam_end (pamh, rc); /* Log the fact of console unlocking. */ syslog (LOG_NOTICE, diff --git a/src/vlock/vlock.pamd b/src/vlock/vlock.pamd index b9d1c18..2e33786 100644 --- a/src/vlock/vlock.pamd +++ b/src/vlock/vlock.pamd @@ -1,2 +1,4 @@ #%PAM-1.0 auth include system-auth +account include system-auth +password include system-auth -- ldv
next reply other threads:[~2013-11-24 21:48 UTC|newest] Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2013-11-24 21:48 Dmitry V. Levin [this message] 2013-11-25 18:07 ` Alexey Gladkov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20131124214808.GA20405@altlinux.org \ --to=ldv@altlinux.org \ --cc=kbd@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux console tools development discussion This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/kbd/0 kbd/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 kbd kbd/ http://lore.altlinux.org/kbd \ kbd@lists.altlinux.org kbd@lists.altlinux.ru kbd@lists.altlinux.com public-inbox-index kbd Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.kbd AGPL code for this site: git clone https://public-inbox.org/public-inbox.git