diff options
Diffstat (limited to 'patches-applied/055_pam_unix_nullok_secure')
| -rw-r--r-- | patches-applied/055_pam_unix_nullok_secure | 196 |
1 files changed, 0 insertions, 196 deletions
diff --git a/patches-applied/055_pam_unix_nullok_secure b/patches-applied/055_pam_unix_nullok_secure deleted file mode 100644 index 98e1909d..00000000 --- a/patches-applied/055_pam_unix_nullok_secure +++ /dev/null @@ -1,196 +0,0 @@ -Debian patch to add a new 'nullok_secure' option to pam_unix, which -accepts users with null passwords only when the applicant is connected -from a tty listed in /etc/securetty. - -Authors: Sam Hartman <hartmans@debian.org>, - Steve Langasek <vorlon@debian.org> - -Upstream status: not yet submitted - -Index: Linux-PAM/modules/pam_unix/support.c -=================================================================== ---- Linux-PAM/modules/pam_unix/support.c.orig -+++ Linux-PAM/modules/pam_unix/support.c -@@ -87,15 +87,22 @@ - /* now parse the arguments to this module */ - - while (argc-- > 0) { -- int j; -+ int j, sl; - - D(("pam_unix arg: %s", *argv)); - - for (j = 0; j < UNIX_CTRLS_; ++j) { -- if (unix_args[j].token -- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) -- { -- break; -+ if (unix_args[j].token) { -+ sl = strlen(unix_args[j].token); -+ if (unix_args[j].token[sl-1] == '=') { -+ /* exclude argument from comparison */ -+ if (!strncmp(*argv, unix_args[j].token, sl)) -+ break; -+ } else { -+ /* compare full strings */ -+ if (!strcmp(*argv, unix_args[j].token)) -+ break; -+ } - } - } - -@@ -472,6 +479,17 @@ - if (salt) - _pam_delete(salt); - -+ if ((retval == 1) && on(UNIX_NULLOK_SECURE, ctrl)) { -+ int retval2; -+ const void *uttyname; -+ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); -+ if (retval2 != PAM_SUCCESS || uttyname == NULL) -+ return 0; -+ -+ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) -+ return 0; -+ } -+ - return retval; - } - -@@ -692,7 +710,7 @@ - int salt_len = strlen(salt); - if (!salt_len) { - /* the stored password is NULL */ -- if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */ -+ if (_unix_blankpasswd(pamh, ctrl, name)) {/* this means we've succeeded */ - D(("user has empty password - access granted")); - retval = PAM_SUCCESS; - } else { -Index: Linux-PAM/modules/pam_unix/support.h -=================================================================== ---- Linux-PAM/modules/pam_unix/support.h.orig -+++ Linux-PAM/modules/pam_unix/support.h -@@ -87,8 +87,9 @@ - #define UNIX_MAX_PASS_LEN 23 /* internal, for compatibility only */ - #define UNIX_MIN_PASS_LEN 24 /* Min length for password */ - #define UNIX_OBSCURE_CHECKS 25 /* enable obscure checks on passwords */ -+#define UNIX_NULLOK_SECURE 26 /* NULL passwords allowed only on secure ttys */ - /* -------------- */ --#define UNIX_CTRLS_ 26 /* number of ctrl arguments defined */ -+#define UNIX_CTRLS_ 27 /* number of ctrl arguments defined */ - - - static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = -@@ -105,7 +106,7 @@ - /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40}, - /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80}, - /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100}, --/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200}, -+/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x1000000), 0x200}, - /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400}, - /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800}, - /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000}, -@@ -122,6 +123,7 @@ - /* UNIX_MAX_PASS_LEN */ {"max=", _ALL_ON_, 0}, - /* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x400000}, - /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x800000}, -+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x1000000}, - }; - - #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) -@@ -157,6 +159,9 @@ - ,const void **pass); - extern int _unix_shadowed(const struct passwd *pwd); - -+extern int _pammodutil_tty_secure(const pam_handle_t *pamh, -+ const char *uttyname); -+ - extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user); - - extern unsigned int pass_min_len; -Index: Linux-PAM/modules/pam_unix/Makefile.am -=================================================================== ---- Linux-PAM/modules/pam_unix/Makefile.am.orig -+++ Linux-PAM/modules/pam_unix/Makefile.am -@@ -44,6 +44,9 @@ - pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ - yppasswd_xdr.c md5_good.c md5_broken.c obscure.c - -+pam_unix_la_LIBADD = \ -+ ../pam_securetty/tty_secure.lo -+ - bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c - bigcrypt_CFLAGS = $(AM_CFLAGS) - bigcrypt_LDFLAGS = @LIBCRYPT@ -Index: Linux-PAM/modules/pam_unix/README -=================================================================== ---- Linux-PAM/modules/pam_unix/README.orig -+++ Linux-PAM/modules/pam_unix/README -@@ -57,7 +57,16 @@ - - The default action of this module is to not permit the user access to a - service if their official password is blank. The nullok argument overrides -- this default. -+ this default and allows any user with a blank password to access the -+ service. -+ -+nullok_secure -+ -+ The default action of this module is to not permit the user access to a -+ service if their official password is blank. The nullok_secure argument -+ overrides this default and allows any user with a blank password to access -+ the service as long as the value of PAM_TTY is set to one of the values -+ found in /etc/securetty. - - try_first_pass - -Index: Linux-PAM/modules/pam_unix/pam_unix.8 -=================================================================== ---- Linux-PAM/modules/pam_unix/pam_unix.8.orig -+++ Linux-PAM/modules/pam_unix/pam_unix.8 -@@ -62,7 +62,14 @@ - .RS 4 - The default action of this module is to not permit the user access to a service if their official password is blank\. The - \fBnullok\fR --argument overrides this default\. -+argument overrides this default and allows any user with a blank password to access the service\. -+.RE -+.PP -+\fBnullok_secure\fR -+.RS 4 -+The default action of this module is to not permit the user access to a service if their official password is blank\. The -+\fBnullok_secure\fR -+argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\. - .RE - .PP - \fBtry_first_pass\fR -Index: Linux-PAM/modules/pam_unix/pam_unix.8.xml -=================================================================== ---- Linux-PAM/modules/pam_unix/pam_unix.8.xml.orig -+++ Linux-PAM/modules/pam_unix/pam_unix.8.xml -@@ -135,7 +135,24 @@ - <para> - The default action of this module is to not permit the - user access to a service if their official password is blank. -- The <option>nullok</option> argument overrides this default. -+ The <option>nullok</option> argument overrides this default -+ and allows any user with a blank password to access the -+ service. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>nullok_secure</option> -+ </term> -+ <listitem> -+ <para> -+ The default action of this module is to not permit the -+ user access to a service if their official password is blank. -+ The <option>nullok_secure</option> argument overrides this -+ default and allows any user with a blank password to access -+ the service as long as the value of PAM_TTY is set to one of -+ the values found in /etc/securetty. - </para> - </listitem> - </varlistentry> |