Index: Linux-PAM/modules/pam_unix/support.c =================================================================== --- Linux-PAM/modules/pam_unix/support.c.orig +++ Linux-PAM/modules/pam_unix/support.c @@ -87,15 +87,22 @@ /* now parse the arguments to this module */ while (argc-- > 0) { - int j; + int j, sl; D(("pam_unix arg: %s", *argv)); for (j = 0; j < UNIX_CTRLS_; ++j) { - if (unix_args[j].token - && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) - { - break; + if (unix_args[j].token) { + sl = strlen(unix_args[j].token); + if (unix_args[j].token[sl-1] == '=') { + /* exclude argument from comparison */ + if (!strncmp(*argv, unix_args[j].token, sl)) + break; + } else { + /* compare full strings */ + if (!strcmp(*argv, unix_args[j].token)) + break; + } } } @@ -472,6 +479,17 @@ if (salt) _pam_delete(salt); + if ((retval == 1) && on(UNIX_NULLOK_SECURE, ctrl)) { + int retval2; + const void *uttyname; + retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); + if (retval2 != PAM_SUCCESS || uttyname == NULL) + return 0; + + if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) + return 0; + } + return retval; } @@ -692,7 +710,7 @@ int salt_len = strlen(salt); if (!salt_len) { /* the stored password is NULL */ - if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */ + if (_unix_blankpasswd(pamh, ctrl, name)) {/* this means we've succeeded */ D(("user has empty password - access granted")); retval = PAM_SUCCESS; } else { Index: Linux-PAM/modules/pam_unix/support.h =================================================================== --- Linux-PAM/modules/pam_unix/support.h.orig +++ Linux-PAM/modules/pam_unix/support.h @@ -88,8 +88,9 @@ #define UNIX_MIN_PASS_LEN 24 /* Min length for password */ #define UNIX_NOOBSCURE_CHECKS 25 /* internal */ #define UNIX_OBSCURE_CHECKS 26 /* enable obscure checks on passwords */ +#define UNIX_NULLOK_SECURE 27 /* NULL passwords allowed only on secure ttys */ /* -------------- */ -#define UNIX_CTRLS_ 27 /* number of ctrl arguments defined */ +#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = @@ -106,7 +107,7 @@ /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40}, /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80}, /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100}, -/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200}, +/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x2000000), 0x200}, /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400}, /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800}, /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000}, @@ -124,6 +125,7 @@ /* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x800000}, /* UNIX_NOOBSCURE_CHECKS */{NULL, _ALL_ON_, 0x1000000}, /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_^(0x1000000), 0}, +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x2000000}, }; #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag | unix_args[UNIX_NOOBSCURE_CHECKS].flag) @@ -159,6 +161,9 @@ ,const void **pass); extern int _unix_shadowed(const struct passwd *pwd); +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, + const char *uttyname); + extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user); extern unsigned int pass_min_len; Index: Linux-PAM/modules/pam_unix/Makefile.am =================================================================== --- Linux-PAM/modules/pam_unix/Makefile.am.orig +++ Linux-PAM/modules/pam_unix/Makefile.am @@ -44,6 +44,9 @@ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ yppasswd_xdr.c md5_good.c md5_broken.c obscure.c +pam_unix_la_LIBADD = \ + ../pam_securetty/tty_secure.lo + bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c bigcrypt_CFLAGS = $(AM_CFLAGS) bigcrypt_LDFLAGS = @LIBCRYPT@