| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
| |
The asprintf function is considered as given for current code already.
Use it instead of calling malloc + strcpy + strcat manually.
Reported-by: Benny Baumann <BenBE@geshi.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Very long strings could overflow the int data type. Make sure to use
the correct data type.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
The C standard guarantees that if the argument of free() is a null
pointer, no action occurs.
|
| |
|
|
|
|
|
| |
If sp_min or sp_warn are set to 0 or empty (-1), then their respective
features are disabled according to shadow(5).
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
According to shadow(5) manual page, an empty sp_lstchg field implies
that password aging is disabled.
This indeed is in sync with shadow's isexpired function.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The shadow library uses "greater than or equal to" checks instead of
current "greater than" checks in pam_unix.
The account expiry check is already "greater than or equal to" so this
adjustment can even be argued without making references to other
projects.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
The combination of snprintf and fputs is not needed. It is possible to
call fprintf directly. The previously ignored return value of snprintf
is covered this way as well.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible to trigger signed integer overflows in
check_shadow_expiry if /etc/shadow contains very large values.
Since these values have to be set by a system administrator, it would
already count as a configuration error.
Yet, avoid overflows which would consider accounts which are supposed
to be valid for a veeery long time as already invalid. Also, it would
be undefined behavior for almost all C standards.
Also consider every negative value as invalid, not just -1. The shadow
project has different ways of handling these values, but this approach
is in sync with its lib/isexpired.c implementation.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
Print an error in syslog if an integer could not be converted.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible to have a mismatch between ENCRYPT_METHOD in login.defs
and an argument given specifically to pam_unix.so.
If pam_unix.so receives the argument "yescrypt" but ENCRYPT_METHOD is
set to SHA512, then SHA_CRYPT_MAX_ROUNDS is parsed from login.defs and
used as rounds for yescrypt -- except if rounds are specificially
given as an argument to pam_unix.so as well.
Read the correct rounds from login.defs after all arguments are parsed
and no rounds were specified to figure out which one will eventually be
used.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is possible to trigger an out of boundary read with very long
usernames (strlen's result is stored in an int) or, with even
longer usernames, match other users with same prefix. This would
mean that roott[and lots of t's following] could match root user.
Also do not allow ':' in names when iterating through the passwd
file this way.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
Retrieves YESCRYPT_COST_FACTOR from /etc/login.defs for yescrypt
in a similar fashion to reading number of rounds for SHA-2.
Resolves #607.
Signed-off-by: Nathan Du <nathandu@outlook.com>
|
| |
|
|
|
|
|
|
| |
When printing the current day and when the password was last changed,
a truncation of the value could happen due to incorrect data types used
in the format string.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
| |
The value of pp can potentially be NULL. This handles this case when
printing debug output.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
| |
The debug message was placed outside the password length check and thus
if the length check succeeded no message would have been placed.
Comparing this location with other occurrences indicates this was by mistake,
thus the message is now suppressed if there's nothing to print anyway.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
| |
It is not required to cast the results of calloc, malloc,
realloc, etc.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| |
|
|
|
|
|
|
| |
This change improves the fallback values for the "rounds" parameter for
yescrypt and blowfish by using the smallest reasonable value if the
user sets a too low value and by using the highest reasonable value
if the user sets a too high value. This better realizes user intent
and is consistent with the approach taken for SHA256.
|
| |
|
|
|
|
| |
configure.ac: Disable NIS if RPC or YP header files are missing
modules/pam_unix/support.c: Use HAVE_NIS to check for header file presence
modules/pam_unix/pam_unix_passwd.c: Use HAVE_NIS, too
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use empty initialization of structs to minimize the memset() usage, to
reduce the amount of calls which are not sensitive.
Non trivial changes:
- pam_env:
* erase environment variables where possible
- pam_exec:
* erase responce on error
* erase auth token
- pam_pwhistory:
* erase buffers containing old passwords
- pam_selinux: skip overwriting data structure consisting of only
pointers to insensitive data, which also gets free'd afterwards (so
it currently does not protect against double-free or use-after-free on
the member pointers)
- pam_unix: erase cipher data in more places
- pam_userdb: erase password hashes
|
| |
|
|
|
|
|
|
|
| |
Otherwise the corresponding files are still installed in /etc/security.
* configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR.
(AM_CONDITIONAL): Add HAVE_VENDORDIR.
* modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR
if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR.
|
| |
|
|
|
|
|
|
|
| |
* configure.ac: Define HAVE_NIS if NIS is enabled.
* modules/pam_unix/Makefile.am: Don't link against yppasswd_xdr.c
if NIS is disabled.
* modules/pam_unix/pam_unix_passwd.c: Don't redefine HAVE_NIS.
Resolves: https://github.com/linux-pam/linux-pam/issues/523
|
| |
|
|
|
|
| |
* modules/pam_unix/pam_unix_passwd.c: Wrap checks for configure macros
into defined() operator.
* m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wundef.
|
| |
|
|
|
|
|
| |
Regenerate yppasswd.h and yppasswd_xdr.c from yppasswd.x (libnsl) to
avoid GPL code in a PAM module.
Link: https://github.com/thkukuk/libnsl/blob/master/src/rpcsvc/yppasswd.x
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang-14 insists on issuing the following warning:
In file included from md5_good.c:4:
md5.c:92:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 16);
^
md5.c:101:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 16);
^
md5.c:136:15: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 16);
^
md5.c:145:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->in.c, 14);
^
md5.c:151:14: error: passing 1-byte aligned argument to 4-byte aligned parameter 1 of 'byteReverse' may result in an unaligned pointer access [-Werror,-Walign-mismatch]
byteReverse(ctx->buf.c, 4);
^
* modules/pam_unix/md5.c (byteReverse): Use uint32 instead of
uint8_aligned, update all users.
(uint8_aligned): Remove unused type.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed files
--------------
Make.xml.rules.in:
- Using RNG file instead of DTD file for checking XML files.
- Taking the correct stylesheet for README files.
doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.
configure.ac:
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment
*.xml:
Update from DockBook 4 to DocBook 5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use SCONFIGDIR macro instead of open-coding "/etc/security",
the latter is not correct when configured using --enable-sconfigdir
with an argument different from /etc/security.
* modules/pam_faillock/faillock.h (FAILLOCK_DEFAULT_CONF): Use
SCONFIGDIR.
* modules/pam_namespace/pam_namespace.h (SECURECONF_DIR): Remove.
(PAM_NAMESPACE_CONFIG, NAMESPACE_INIT_SCRIPT, NAMESPACE_D_DIR,
NAMESPACE_D_GLOB): Use SCONFIGDIR.
* modules/pam_namespace/Makefile.am (AM_CFLAGS): Remove
-DSECURECONF_DIR.
* modules/pam_pwhistory/opasswd.c (OLD_PASSWORDS_FILE): Use SCONFIGDIR.
* modules/pam_unix/passverify.h: Likewise.
* modules/pam_unix/passverify.c (OPW_TMPFILE): Use SCONFIGDIR.
|
| |
|
|
|
|
|
| |
* modules/pam_pwhistory/pam_pwhistory.c: Replace "crypted password" with
"hashed password" in comment.
* modules/pam_unix/passverify.c (create_password_hash): Rename "crypted"
local variable to "hashed".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The getspnam(3) manual page says that errno shall be set to EACCES when
the caller does not have permission to access the shadow password file.
Unfortunately, this contract is broken when libnss_systemd is used in
the nss stack.
Workaround this problem by falling back to the helper invocation when
pam_modutil_getspnam returns NULL regardless of errno. As pam_unix
already behaves this way when selinux is enabled, it should be OK
for the case when selinux is not enabled, too.
* modules/pam_unix/passverify.c (get_account_info): When
pam_modutil_getspnam returns NULL, unconditionally fall back
to the helper invocation.
Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root")
Resolves: https://github.com/linux-pam/linux-pam/issues/379
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the hard-coding of the idea that the only way pam_unix.so can
read the shadow file is if it can, in some way, run setuid-root.
Linux capabilities only require cap_dac_override to read the /etc/shadow
file.
This change achieves two things: it opens a path for a linux-pam
application to run without being setuid-root; further, it allows
unix_chkpwd to run non-setuid-root if it is installed:
sudo setcap cap_dac_override=ep unix_chkpwd
If we wanted to link against libcap, we could install this binary with
cap_dac_override=p, and use cap_set_proc() to raise the effective bit
at runtime. However, some distributions already link unix_chkpwd
against libcap-ng for some, likely spurious, reason so "ep" is fine
for now.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since many distributions are shipping a version of libxcrypt >= 4.0.0
as a replacement for glibc's libcrypt now, older versions of xcrypt,
which could be installed in parallel, are not relevant anymore.
* configure.ac (AC_CHECK_HEADERS): Remove xcrypt.h.
(AC_SEARCH_LIBS): Remove xcrypt.
(AC_CHECK_FUNCS): Remove crypt_gensalt_r.
(AC_DEFINE): Remove HAVE_LIBXCRYPT.
* modules/pam_pwhistory/opasswd.c [HAVE_LIBXCRYPT]: Remove.
* modules/pam_unix/bigcrypt.c [HAVE_LIBXCRYPT]: Likewise.
* modules/pam_userdb/pam_userdb.c [HAVE_LIBXCRYPT]: Likewise.
* modules/pam_unix/passverify.c [HAVE_LIBXCRYPT]: Likewise.
(create_password_hash) [HAVE_LIBXCRYPT]: Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to Zack Weinberg, the intended meaning of
CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
method", it is not supposed to mean "force a password change on next
login for any user with an existing stored hash using this method".
This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
* modules/pam_unix/passverify.c (check_shadow_expiry)
[CRYPT_CHECKSALT_AVAILABLE]: Remove.
Closes: https://github.com/linux-pam/linux-pam/issues/367
|
| |
|
|
|
| |
* modules/pam_unix/bigcrypt.c (bigcrypt) [HAVE_CRYPT_R]: Do not leak
cdata if crypt_r() fails.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit af0faf66 ("pam_unix: avoid determining if user exists") introduced
a regression where the blank check could return 1 if root had an empty
password hash because in the second case the password hash of root was
used. We now always return 0 in this case.
The issue was found by Johannes Löthberg.
Fixes #284
* modules/pam_unix/support.c (_unix_blankpasswd): Make the loop
to cover the complete blank check so both existing and non existing
cases are identical except for the possible return value.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ci/install-dependencies.sh: Remove libcrack2-dev.
* ci/run-build-and-tests.sh (DISTCHECK_CONFIGURE_FLAGS): Remove
--enable-cracklib=check.
* conf/pam.conf: Remove references to pam_cracklib.so.
* configure.ac: Remove --enable-cracklib option.
(AC_SUBST): Remove LIBCRACK.
(AM_CONDITIONAL): Remove COND_BUILD_PAM_CRACKLIB.
(AC_CONFIG_FILES): Remove modules/pam_cracklib/Makefile.
* doc/sag/pam_cracklib.xml: Remove.
* doc/sag/Linux-PAM_SAG.xml: Do not include pam_cracklib.xml.
* modules/Makefile.am (MAYBE_PAM_CRACKLIB): Remove.
(SUBDIRS): Remove MAYBE_PAM_CRACKLIB.
* modules/pam_cracklib/Makefile.am: Remove.
* modules/pam_cracklib/README.xml: Likewise.
* modules/pam_cracklib/pam_cracklib.8.xml: Likewise.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_cracklib/tst-pam_cracklib: Likewise.
* xtests/tst-pam_cracklib1.c: Likewise.
* xtests/tst-pam_cracklib1.pamd: Likewise.
* xtests/tst-pam_cracklib2.c: Likewise.
* xtests/tst-pam_cracklib2.pamd: Likewise.
* modules/pam_pwhistory/pam_pwhistory.8.xml: Replace pam_cracklib
in examples with pam_passwdqc.
* modules/pam_unix/pam_unix.8.xml: Likewise.
* po/POTFILES.in: Remove ./modules/pam_cracklib/pam_cracklib.c.
* xtests/.gitignore: Remove tst-pam_cracklib1 and tst-pam_cracklib2.
* xtests/Makefile.am (EXTRA_DIST): Remove tst-pam_cracklib1.pamd
and tst-pam_cracklib2.pamd.
(XTESTS): Remove tst-pam_cracklib1 and tst-pam_cracklib2.
* NEWS: Document this change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exported functions already have these attributes, add them to other functions.
This enables compilers to find format specifier mismatches, like:
foo_print("Hello %d", "world")
* m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wmissing-format-attribute.
* conf/pam_conv1/Makefile.am (AM_CFLAGS): Add -I$(top_srcdir)/libpam/include.
* conf/pam_conv1/pam_conv_y.y: Include <security/_pam_types.h>.
(yyerror): Add printf format attribute.
* modules/pam_pwhistory/opasswd.c (helper_log_err): Likewise.
* modules/pam_rootok/pam_rootok.c (log_callback): Likewise.
* modules/pam_tally/pam_tally.c (tally_log): Likewise.
* modules/pam_tally2/pam_tally2.c (tally_log): Likewise.
* modules/pam_unix/passverify.c (helper_log_err): Likewise.
|
| |
|
|
|
|
|
|
|
|
| |
When running systemd service with DynamicUser being set, the dynamic UID
might be not mapped to user name (/etc/nsswitch.conf is not configured
with systemd nss module).
The getuidname() routine might return NULL and this is not checked by callee.
Signed-off-by: Anton D. Kachalov <rnouse@google.com>
|
| |
|
|
|
|
|
|
|
| |
There are going to be other options added to CFLAGS and LDFLAGS
of executables made along with modules.
* configure.ac (EXE_CFLAGS, EXE_LDFLAGS): New variables initialized from
PIE_CFLAGS and PIE_LDFLAGS, respectively. AC_SUBST them instead of
PIE_CFLAGS and PIE_LDFLAGS. All users updated.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently, gcc is also not smart enough to infer the alignment
of structure fields, for details see
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89133
Use unions to avoid these casts altogether, this fixes compilation
warnings reported by gcc on arm, e.g.:
md5.c: In function 'MD5Update':
md5.c:92:35: error: cast increases required alignment of target type [-Werror=cast-align]
92 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
md5.c:101:35: error: cast increases required alignment of target type [-Werror=cast-align]
101 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
md5.c: In function 'MD5Final':
md5.c:136:35: error: cast increases required alignment of target type [-Werror=cast-align]
136 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
md5.c:147:9: error: cast increases required alignment of target type [-Werror=cast-align]
147 | memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
| ^
md5.c:149:34: error: cast increases required alignment of target type [-Werror=cast-align]
149 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
* modules/pam_namespace/md5.h (struct MD5Context): Replace "buf" and
"in" fields with unions. All users updated.
* modules/pam_unix/md5.h (struct MD5Context): Likewise.
* modules/pam_timestamp/sha1.h (struct sha1_context.pending): Replace
with a union. All users updated.
Complements: v1.4.0~195 ("Fix most of clang -Wcast-align compilation warnings")
|
| |
|
|
|
|
|
| |
These retrieved contexts are just passed to libselinux functions and not
printed or otherwise made available to the outside, so a context
translation to human readable MCS/MLS labels is not needed.
(see man:setrans.conf(5))
|
| |
|
|
|
| |
libselinux 3.1 deprecated the typedef security_context_t.
Use the underlaying type.
|
| |
|
|
|
| |
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Add comment
about the reason for ignoring PAM_AUTHTOK_ERR.
|
| |
|
|
|
|
|
|
|
|
| |
The daysleft otherwise stays uninitialized if there is no shadow entry.
Regression from commit f5adefa.
Fixes #255
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ldv: rewrote commit message]
* modules/pam_unix/passverify.h (read_passwords): Remove prototype.
* modules/pam_unix/passverify.c (read_passwords): Move ...
* libpam/include/pam_inline.h: ... here, rename to pam_read_passwords,
add static inline qualifiers.
Include <unistd.h> and <errno.h>.
* modules/pam_unix/unix_chkpwd.c: Include "pam_inline.h".
(main): Replace read_passwords with pam_read_passwords.
* modules/pam_unix/unix_update.c: Include "pam_inline.h".
(set_password): Replace read_passwords with pam_read_passwords.
|
| |
|
|
|
|
|
|
|
|
| |
* modules/pam_unix/passverify.h (MAXPASS): Remove.
* modules/pam_unix/passverify.c (read_passwords): Replace MAXPASS
with PAM_MAX_RESP_SIZE.
* modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass): Likewise.
* modules/pam_unix/support.c (_unix_verify_password): Likewise.
* modules/pam_unix/unix_chkpwd.c (main): Likewise.
* modules/pam_unix/unix_update.c (set_password): Likewise.
|
| |
|
|
|
|
|
|
|
| |
Taking a look at the time for the password prompt to appear it was
possible to determine if a user existed in a system. Solved it by
matching the runtime until the password prompt was shown by always
checking the password hash for an existing and a non-existing user.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If pam_get_user returned PAM_SUCCESS, the user name is guaranteed
to be a valid C string, no need to double check that.
* modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
for NULL the user name returned by pam_get_user when the latter returned
PAM_SUCCESS.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise.
* modules/pam_filter/pam_filter.c (process_args): Likewise.
* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
* modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise.
* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise.
* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
* modules/pam_shells/pam_shells.c (perform_check): Likewise.
* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
* modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
* modules/pam_wheel/pam_wheel.c (perform_check): Likewise.
* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt):
Likewise.
|
| |
|
|
|
|
| |
Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
from Linux-PAM), PAM_SM_* macros have no effect.
|
