1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
Index: Linux-PAM/modules/pam_unix/support.c
===================================================================
--- Linux-PAM/modules/pam_unix/support.c.orig
+++ Linux-PAM/modules/pam_unix/support.c
@@ -87,15 +87,22 @@
/* now parse the arguments to this module */
while (argc-- > 0) {
- int j;
+ int j, sl;
D(("pam_unix arg: %s", *argv));
for (j = 0; j < UNIX_CTRLS_; ++j) {
- if (unix_args[j].token
- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token)))
- {
- break;
+ if (unix_args[j].token) {
+ sl = strlen(unix_args[j].token);
+ if (unix_args[j].token[sl-1] == '=') {
+ /* exclude argument from comparison */
+ if (!strncmp(*argv, unix_args[j].token, sl))
+ break;
+ } else {
+ /* compare full strings */
+ if (!strcmp(*argv, unix_args[j].token))
+ break;
+ }
}
}
@@ -472,6 +479,17 @@
if (salt)
_pam_delete(salt);
+ if ((retval == 1) && on(UNIX_NULLOK_SECURE, ctrl)) {
+ int retval2;
+ const void *uttyname;
+ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname);
+ if (retval2 != PAM_SUCCESS || uttyname == NULL)
+ return 0;
+
+ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
+ return 0;
+ }
+
return retval;
}
@@ -692,7 +710,7 @@
int salt_len = strlen(salt);
if (!salt_len) {
/* the stored password is NULL */
- if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
+ if (_unix_blankpasswd(pamh, ctrl, name)) {/* this means we've succeeded */
D(("user has empty password - access granted"));
retval = PAM_SUCCESS;
} else {
Index: Linux-PAM/modules/pam_unix/support.h
===================================================================
--- Linux-PAM/modules/pam_unix/support.h.orig
+++ Linux-PAM/modules/pam_unix/support.h
@@ -88,8 +88,9 @@
#define UNIX_MIN_PASS_LEN 24 /* Min length for password */
#define UNIX_NOOBSCURE_CHECKS 25 /* internal */
#define UNIX_OBSCURE_CHECKS 26 /* enable obscure checks on passwords */
+#define UNIX_NULLOK_SECURE 27 /* NULL passwords allowed only on secure ttys */
/* -------------- */
-#define UNIX_CTRLS_ 27 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
@@ -106,7 +107,7 @@
/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40},
/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80},
/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100},
-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200},
+/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x2000000), 0x200},
/* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400},
/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800},
/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000},
@@ -124,6 +125,7 @@
/* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x800000},
/* UNIX_NOOBSCURE_CHECKS */{NULL, _ALL_ON_, 0x1000000},
/* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_^(0x1000000), 0},
+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x2000000},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag | unix_args[UNIX_NOOBSCURE_CHECKS].flag)
@@ -159,6 +161,9 @@
,const void **pass);
extern int _unix_shadowed(const struct passwd *pwd);
+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
+ const char *uttyname);
+
extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user);
extern unsigned int pass_min_len;
Index: Linux-PAM/modules/pam_unix/Makefile.am
===================================================================
--- Linux-PAM/modules/pam_unix/Makefile.am.orig
+++ Linux-PAM/modules/pam_unix/Makefile.am
@@ -44,6 +44,9 @@
pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
+pam_unix_la_LIBADD = \
+ ../pam_securetty/tty_secure.lo
+
bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
bigcrypt_CFLAGS = $(AM_CFLAGS)
bigcrypt_LDFLAGS = @LIBCRYPT@
|
