1 |
ulm 10/09/08 18:42:38 |
2 |
|
3 |
Added: 02_all_require_skey.patch |
4 |
Log: |
5 |
Patchset 2, add 02_all_require_skey.patch. |
6 |
|
7 |
Revision Changes Path |
8 |
1.1 src/patchsets/pam_skey/1.1.5/02_all_require_skey.patch |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/pam_skey/1.1.5/02_all_require_skey.patch?rev=1.1&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/pam_skey/1.1.5/02_all_require_skey.patch?rev=1.1&content-type=text/plain |
12 |
|
13 |
Index: 02_all_require_skey.patch |
14 |
=================================================================== |
15 |
http://bugs.gentoo.org/336449 |
16 |
Patch contributed by Jan Sembera <fis@××××.cz> |
17 |
|
18 |
In my environment, I'd like to use pam_skey as optional authentication |
19 |
measure that wouldn't replace the password, but would complement it. |
20 |
Ie. when the user sets the S/Key, he should be afterwards asked to |
21 |
provide the S/Key _and_ his password, without the possibility to just |
22 |
enter his password and circumvent S/Keys. On the other hand, when the |
23 |
user doesn't have S/Key set, he should be able to login with his |
24 |
password only. |
25 |
|
26 |
Why PAM would generally allow this, with the current internals of |
27 |
pam_skey, this setup isn't possible. You simply cannot distinguish |
28 |
between "user has no S/Key set" case (it returns IGNORE) and "user |
29 |
doesn't want to provide S/Key" (it returns IGNORE as well). |
30 |
|
31 |
I'm attaching a patch that will add option require_skey to pam_skey. |
32 |
When this option is set, module will require the user to successfully |
33 |
authenticate using S/key, and will return IGNORE only in case the user |
34 |
didn't set up his key. If this option isn't provided, the behaviour of |
35 |
the module doesn't change. |
36 |
|
37 |
--- pam_skey-orig/README |
38 |
+++ pam_skey/README |
39 |
@@ -21,7 +21,7 @@ |
40 |
- The options accepted by the pam_skey.so module are different, as |
41 |
described below. |
42 |
|
43 |
-Four options are accepted by the pam_skey.so module: |
44 |
+Five options are accepted by the pam_skey.so module: |
45 |
debug - This option turns on debug logging. |
46 |
try_first_pass - This option tells the module to first try using |
47 |
the authentication token passed from the |
48 |
@@ -44,6 +44,12 @@ |
49 |
cause the module to pass the given password to the |
50 |
next module in the authentication stack (usually |
51 |
pam_unix.so with the try_first_pass option). |
52 |
+ require_skey - This options tells the module to require S/Key |
53 |
+ authentication if the user has S/Key set. When |
54 |
+ this option is set, it is possible to require both |
55 |
+ S/Key and another authentication method (like |
56 |
+ password) for successful login. This is mutually |
57 |
+ exclusive with no_default_skey. |
58 |
|
59 |
The exact behavior of pam_skey.so is detailed below: |
60 |
|
61 |
@@ -54,21 +60,22 @@ |
62 |
if it is a valid response to the current S/Key challenge. If so, |
63 |
return PAM_SUCCESS. |
64 |
3a. If the token is invalid and use_first_pass is enabled, return |
65 |
- PAM_IGNORE. |
66 |
+ PAM_IGNORE (or PAM_AUTHERR if require_skey is set). |
67 |
4. If no_default_skey is enabled, issue a "Password: " prompt. |
68 |
4a. If the response is anything besides "s/key" (case insensitive), |
69 |
store it as the authentication token and return PAM_IGNORE. |
70 |
5. Display the current S/Key challenge and request a response, with |
71 |
- input not echoed. If no_default_skey is enabled, this will only be |
72 |
- an S/Key response request; otherwise, it will request either an |
73 |
- S/Key response or a system passsword. |
74 |
+ input not echoed. If no_default_skey or require_skey is enabled, |
75 |
+ this will only be an S/Key response request; otherwise, it will |
76 |
+ request either an S/Key response or a system passsword. |
77 |
5a. If an empty response is given, request the S/Key response again, |
78 |
this time with input echoed. |
79 |
5b. If the response is a valid S/Key response, return PAM_SUCCESS. |
80 |
Otherwise, return PAM_AUTHERR. |
81 |
6. If the response is a valid S/Key response, return PAM_SUCCESS. |
82 |
-7. Otherwise, if no_default_skey is enabled (the user specifically |
83 |
- requested "s/key" authentication), return PAM_AUTHERR. |
84 |
+7. Otherwise, if no_default_skey is enabled (and the user specifically |
85 |
+ requested "s/key" authentication), or if require_skey is enabled, |
86 |
+ return PAM_AUTHERR. |
87 |
8. Otherwise, store the response as the authentication token and |
88 |
return PAM_IGNORE. |
89 |
|
90 |
--- pam_skey-orig/pam_skey.c |
91 |
+++ pam_skey/pam_skey.c |
92 |
@@ -110,7 +110,7 @@ |
93 |
if (skey_passcheck(username, response) != -1) { |
94 |
return PAM_SUCCESS; |
95 |
} else if (mod_opt & _MOD_USE_FIRST_PASS) { |
96 |
- return PAM_IGNORE; |
97 |
+ return (mod_opt & _MOD_REQUIRE_SKEY) ? PAM_AUTH_ERR : PAM_IGNORE; |
98 |
} |
99 |
} else if (mod_opt & _MOD_USE_FIRST_PASS) { |
100 |
return PAM_AUTHTOK_RECOVER_ERR; |
101 |
@@ -138,7 +138,7 @@ |
102 |
return PAM_AUTHINFO_UNAVAIL; |
103 |
} |
104 |
|
105 |
- if (mod_opt & _MOD_NO_DEFAULT_SKEY) |
106 |
+ if ((mod_opt & _MOD_NO_DEFAULT_SKEY) || (mod_opt & _MOD_REQUIRE_SKEY)) |
107 |
status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response); |
108 |
else |
109 |
status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response); |
110 |
@@ -166,7 +166,7 @@ |
111 |
return PAM_SUCCESS; |
112 |
} |
113 |
|
114 |
- if (mod_opt & _MOD_NO_DEFAULT_SKEY) { |
115 |
+ if ((mod_opt & _MOD_NO_DEFAULT_SKEY) || (mod_opt & _MOD_REQUIRE_SKEY)) { |
116 |
_pam_delete(response); |
117 |
return PAM_AUTH_ERR; |
118 |
} |
119 |
--- pam_skey-orig/pam_skey.h |
120 |
+++ pam_skey/pam_skey.h |
121 |
@@ -78,13 +78,14 @@ |
122 |
#define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */ |
123 |
#define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */ |
124 |
#define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */ |
125 |
+#define _MOD_REQUIRE_SKEY 0x0010 /* Require S/Key if set */ |
126 |
|
127 |
/* Setup defaults - use echo off only */ |
128 |
#define _MOD_DEFAULT_FLAG _MOD_NONE_ON |
129 |
#define _MOD_DEFAULT_MASK _MOD_ALL_ON |
130 |
|
131 |
/* Number of parameters currently known */ |
132 |
-#define _MOD_ARGS 4 |
133 |
+#define _MOD_ARGS 5 |
134 |
|
135 |
/* Structure for flexible argument parsing */ |
136 |
typedef struct |
137 |
@@ -101,5 +102,6 @@ |
138 |
{"debug", _MOD_ALL_ON, _MOD_DEBUG}, |
139 |
{"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS}, |
140 |
{"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS}, |
141 |
- {"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY} |
142 |
+ {"no_default_skey", _MOD_ALL_ON & ~_MOD_REQUIRE_SKEY, _MOD_NO_DEFAULT_SKEY}, |
143 |
+ {"require_skey", _MOD_ALL_ON & ~_MOD_NO_DEFAULT_SKEY, _MOD_REQUIRE_SKEY} |
144 |
}; |