From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 25 Nov 2013 01:48:12 +0400 From: "Dmitry V. Levin" To: kbd@lists.altlinux.org Message-ID: <20131124214808.GA20405@altlinux.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: [kbd] [PATCH 1/3] vlock: implement PAM account and password management X-BeenThere: kbd@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Linux console tools development discussion List-Id: Linux console tools development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Nov 2013 21:48:15 -0000 Archived-At: List-Archive: There seems to be a tradition for lockers to implement PAM account and password management (account validation, changing expired passwords, refreshing credentials) like login programs do. Note that vlock may or may not need extra credentials to do account and password management depending on the authentication scheme in use. For example, in case of the tcb password shadowing scheme implemented by pam_tcb, to authenticate the user, vlock should be installed as a SGID-chkpwd executable to access tcb_chkpwd helper (which in turn is usually installed as a more privileged SGID-shadow executable). To perform account and password management, vlock should be installed as a SGID-shadow executable itself (like passwd utility with the tcb password shadowing scheme). In case of the traditional password shadowing scheme implemented by pam_unix, vlock needs no extra privileges to authenticate the user (because of no restrictions to access unix_chkpwd helper), but should be installed as a SUID-root executable to perform account and password management (like passwd utility with the traditional password shadowing scheme). Fixes RH#913311. --- src/vlock/auth.c | 38 +++++++++++++++++++++++++++++++++++++- src/vlock/vlock.pamd | 2 ++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/src/vlock/auth.c b/src/vlock/auth.c index 71c8f15..cac877c 100644 --- a/src/vlock/auth.c +++ b/src/vlock/auth.c @@ -4,7 +4,7 @@ PAM authentication routine for vlock, the VT locking program for linux. Copyright (C) 1994-1998 Michael K. Johnson - Copyright (C) 2002, 2005 Dmitry V. Levin + Copyright (C) 2002, 2005, 2013 Dmitry V. Levin This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -36,6 +36,25 @@ /* Unrecognized PAM error timeout. */ #define ERROR_TIMEOUT 10 +static int +do_account_password_management (pam_handle_t *pamh) +{ + int rc; + + /* Whether the authenticated user is allowed to log in? */ + rc = pam_acct_mgmt (pamh, 0); + + /* Do we need to prompt the user for a new password? */ + if (rc == PAM_NEW_AUTHTOK_REQD) + rc = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + + /* Extend the lifetime of the existing credentials. */ + if (rc == PAM_SUCCESS) + rc = pam_setcred (pamh, PAM_REFRESH_CRED); + + return rc; +} + int get_password (pam_handle_t * pamh, const char *username, const char *tty) { @@ -84,6 +103,23 @@ get_password (pam_handle_t * pamh, const char *username, const char *tty) switch (rc) { case PAM_SUCCESS: + rc = do_account_password_management (pamh); + + if (rc != PAM_SUCCESS) + { + /* + * The user was authenticated but + * either account or password management + * returned an error. + */ + printf ("%s.\n\n\n", + pam_strerror (pamh, rc)); + fflush (stdout); + pam_end (pamh, rc); + pamh = 0; + break; + } + pam_end (pamh, rc); /* Log the fact of console unlocking. */ syslog (LOG_NOTICE, diff --git a/src/vlock/vlock.pamd b/src/vlock/vlock.pamd index b9d1c18..2e33786 100644 --- a/src/vlock/vlock.pamd +++ b/src/vlock/vlock.pamd @@ -1,2 +1,4 @@ #%PAM-1.0 auth include system-auth +account include system-auth +password include system-auth -- ldv