From: Peter Avalos Date: Mon, 29 Dec 2008 01:20:17 +0000 (-0500) Subject: Lock out authentication if the account has been locked by pw(8). X-Git-Tag: v2.3.0~150 X-Git-Url: https://gitweb.dragonflybsd.org/~nant/dragonfly.git/commitdiff_plain/0d96fe5a0ed65ace5a06125976a01848fd041dd2 Lock out authentication if the account has been locked by pw(8). In account management, verify whether the account has been locked with `pw lock', so that it's impossible to log into a locked account using an alternative authentication mechanism, such as an ssh key. This change affects only accounts locked with pw(8), i.e., having a `*LOCKED*' prefix in their password hash field, so people still can use a different pattern to disable password authentication only. Also, clean out some (void) casts and use libypclnt. Obtained-from: FreeBSD --- diff --git a/Makefile.inc1 b/Makefile.inc1 index a0bcd0b56c..3291955eb8 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -891,7 +891,7 @@ _generic_libs+= kerberos5/lib _prebuild_libs+= lib/libcom_err lib/libcrypt lib/libmd \ lib/libncurses/libncurses lib/libopie lib/libradius \ lib/libsbuf lib/libskey lib/libtacplus lib/libm \ - lib/libpam lib/lib${THREAD_LIB} + lib/libpam lib/libypclnt lib/lib${THREAD_LIB} lib/libopie__L lib/libradius__L lib/libtacplus__L: lib/libmd__L lib/libskey__L: lib/libcrypt__L lib/libmd__L diff --git a/lib/pam_module/pam_unix/Makefile b/lib/pam_module/pam_unix/Makefile index ff393d9e70..e34181834e 100644 --- a/lib/pam_module/pam_unix/Makefile +++ b/lib/pam_module/pam_unix/Makefile @@ -7,6 +7,10 @@ MAN= pam_unix.8 DPADD= ${LIBCRYPT} ${LIBUTIL} LDADD= -lcrypt -lutil -.include +.if !defined(NO_NIS) +CFLAGS+= -DYP +DPADD+= ${LIBYPCLNT} +LDADD+= -lypclnt +.endif -.PATH: ${OPENPAM_DIR}/modules/pam_unix +.include diff --git a/lib/pam_module/pam_unix/pam_unix.8 b/lib/pam_module/pam_unix/pam_unix.8 index 6f11b2fbfb..62947a3681 100644 --- a/lib/pam_module/pam_unix/pam_unix.8 +++ b/lib/pam_module/pam_unix/pam_unix.8 @@ -32,10 +32,10 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.8,v 1.11 2005/01/21 10:44:10 ru Exp $ +.\" $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.8,v 1.13 2007/03/27 09:59:15 yar Exp $ .\" $DragonFly: src/lib/pam_module/pam_unix/pam_unix.8,v 1.1 2005/08/01 16:15:19 joerg Exp $ .\" -.Dd November 26, 2001 +.Dd March 27, 2007 .Dt PAM_UNIX 8 .Os .Sh NAME @@ -52,15 +52,16 @@ The .Ux authentication service module for PAM, .Nm -provides functionality for two PAM categories: -authentication -and account management. +provides functionality for three PAM categories: +authentication, +account management, and password management. In terms of the .Ar module-type parameter, they are the -.Dq Li auth +.Dq Li auth , +.Dq Li account , and -.Dq Li account +.Dq Li password features. It also provides a null function for session management. .Ss Ux Ss Authentication Module @@ -142,8 +143,20 @@ provides a function to perform account management, .Fn pam_sm_acct_mgmt . The function verifies that the authenticated user -is allowed to login to the local user account -by checking the password expiry date. +is allowed to log into the local user account +by checking the following criteria: +.Bl -dash -offset indent +.It +locked status of the account compatible with +.Xr pw 8 +.Cm lock ; +.It +the password expiry date from +.Xr passwd 5 ; +.It +.Xr login.conf 5 +restrictions on the remote host, login time, and tty. +.El .Pp The following options may be passed to the management module: .Bl -tag -width ".Cm use_first_pass" @@ -157,7 +170,7 @@ level. The .Ux password management component -provides a function to perform account management, +provides a function to perform password management, .Fn pam_sm_chauthtok . The function changes the user's password. @@ -199,4 +212,5 @@ password database. .Xr nsswitch.conf 5 , .Xr passwd 5 , .Xr pam 8 , +.Xr pw 8 , .Xr yp 8 diff --git a/lib/pam_module/pam_unix/pam_unix.c b/lib/pam_module/pam_unix/pam_unix.c index bd5e6dbff8..a2cf30cbef 100644 --- a/lib/pam_module/pam_unix/pam_unix.c +++ b/lib/pam_module/pam_unix/pam_unix.c @@ -33,7 +33,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.51 2005/07/05 18:42:18 des Exp $ + * $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.53 2007/12/21 12:00:16 des Exp $ * $DragonFly: src/lib/pam_module/pam_unix/pam_unix.c,v 1.1 2005/08/01 16:15:19 joerg Exp $ */ @@ -70,6 +70,9 @@ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ #define SALTSIZE 32 +#define LOCKED_PREFIX "*LOCKED*" +#define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1) + static void makesalt(char []); static char password_hash[] = PASSWORD_HASH; @@ -126,6 +129,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, if (strcmp(crypt(pass, realpw), realpw) == 0) return (PAM_SUCCESS); + PAM_VERBOSE_ERROR("UNIX authentication refused"); return (PAM_AUTH_ERR); } @@ -175,6 +179,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) return (PAM_NEW_AUTHTOK_REQD); + if (strncmp(pwd->pw_passwd, LOCKED_PREFIX, LOCKED_PREFIX_LEN) == 0) + return (PAM_AUTH_ERR); + lc = login_getpwclass(pwd); if (lc == NULL) { PAM_LOG("Unable to get login class for user %s", user); @@ -268,7 +275,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, struct passwd *pwd, *old_pwd; const char *user, *old_pass, *new_pass; char *encrypted; - int pfd, tfd, retval = PAM_ABORT; + int pfd, tfd, retval; if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) pwd = getpwnam(getlogin()); @@ -288,23 +295,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, PAM_LOG("PRELIM round"); - if (getuid() == 0 -#if 0 - && (pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES -#endif - ) + if (getuid() == 0 && + (pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES) /* root doesn't need the old password */ return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); #ifdef YP - if (getuid() == 0 -#if 0 - && (pwd->pw_fields & _PWF_SOURCE) == _PWF_NIS -#endif - ) { + if (getuid() == 0 && + (pwd->pw_fields & _PWF_SOURCE) == _PWF_NIS) { yp_domain = yp_server = NULL; - (void)pam_get_data(pamh, "yp_domain", &yp_domain); - (void)pam_get_data(pamh, "yp_server", &yp_server); + pam_get_data(pamh, "yp_domain", &yp_domain); + pam_get_data(pamh, "yp_server", &yp_server); ypclnt = ypclnt_new(yp_domain, "passwd.byname", yp_server); if (ypclnt == NULL) @@ -406,8 +407,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, break; case _PWF_NIS: yp_domain = yp_server = NULL; - (void)pam_get_data(pamh, "yp_domain", &yp_domain); - (void)pam_get_data(pamh, "yp_server", &yp_server); + pam_get_data(pamh, "yp_domain", &yp_domain); + pam_get_data(pamh, "yp_server", &yp_server); ypclnt = ypclnt_new(yp_domain, "passwd.byname", yp_server); if (ypclnt == NULL) { diff --git a/share/mk/bsd.libnames.mk b/share/mk/bsd.libnames.mk index 11319b05db..fd8c458b54 100644 --- a/share/mk/bsd.libnames.mk +++ b/share/mk/bsd.libnames.mk @@ -110,6 +110,7 @@ LIBUTIL?= ${DESTDIR}${LIBDIR}/libutil.a LIBWRAP?= ${DESTDIR}${LIBDIR}/libwrap.a LIBXPG4?= ${DESTDIR}${LIBDIR}/libxpg4.a LIBY?= ${DESTDIR}${LIBDIR}/liby.a +LIBYPCLNT?= ${DESTDIR}${LIBDIR}/libypclnt.a LIBZ?= ${DESTDIR}${LIBDIR}/libz.a THREAD_LIB?= thread_xu