[gentoo-commits] gentoo commit in src/patchsets/pam_skey/1.1.5: 02_all_require_skey.patch - gentoo-commits

From:	"Ulrich Mueller (ulm)" <ulm@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in src/patchsets/pam_skey/1.1.5: 02_all_require_skey.patch
Date:	Wed, 08 Sep 2010 18:42:42
Message-Id:	`20100908184238.3EF0F20051@flycatcher.gentoo.org`

1

ulm         10/09/08 18:42:38

2

3

  Added:                02_all_require_skey.patch

4

  Log:

5

  Patchset 2, add 02_all_require_skey.patch.

6

7

Revision  Changes    Path

8

1.1                  src/patchsets/pam_skey/1.1.5/02_all_require_skey.patch

9

10

file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/pam_skey/1.1.5/02_all_require_skey.patch?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/pam_skey/1.1.5/02_all_require_skey.patch?rev=1.1&content-type=text/plain

12

13

Index: 02_all_require_skey.patch

14

===================================================================

15

http://bugs.gentoo.org/336449

16

Patch contributed by Jan Sembera <fis@××××.cz>

17

18

In my environment, I'd like to use pam_skey as optional authentication

19

measure that wouldn't replace the password, but would complement it.

20

Ie. when the user sets the S/Key, he should be afterwards asked to

21

provide the S/Key _and_ his password, without the possibility to just

22

enter his password and circumvent S/Keys. On the other hand, when the

23

user doesn't have S/Key set, he should be able to login with his

24

password only.

25

26

Why PAM would generally allow this, with the current internals of

27

pam_skey, this setup isn't possible. You simply cannot distinguish

28

between "user has no S/Key set" case (it returns IGNORE) and "user

29

doesn't want to provide S/Key" (it returns IGNORE as well).

30

31

I'm attaching a patch that will add option require_skey to pam_skey.

32

When this option is set, module will require the user to successfully

33

authenticate using S/key, and will return IGNORE only in case the user

34

didn't set up his key. If this option isn't provided, the behaviour of

35

the module doesn't change.

36

37

--- pam_skey-orig/README

38

+++ pam_skey/README

39

@@ -21,7 +21,7 @@

40

 - The options accepted by the pam_skey.so module are different, as

41

   described below.

42

43

-Four options are accepted by the pam_skey.so module:

44

+Five options are accepted by the pam_skey.so module:

45

   debug                  - This option turns on debug logging.

46

   try_first_pass         - This option tells the module to first try using

47

                            the authentication token passed from the

48

@@ -44,6 +44,12 @@

49

 			   cause the module to pass the given password to the

50

 			   next module in the authentication stack (usually

51

 			   pam_unix.so with the try_first_pass option).

52

+  require_skey           - This options tells the module to require S/Key

53

+			   authentication if the user has S/Key set.  When

54

+			   this option is set, it is possible to require both

55

+			   S/Key and another authentication method (like

56

+			   password) for successful login.  This is mutually

57

+			   exclusive with no_default_skey.

58

59

 The exact behavior of pam_skey.so is detailed below:

60

61

@@ -54,21 +60,22 @@

62

    if it is a valid response to the current S/Key challenge.  If so,

63

    return PAM_SUCCESS.

64

  3a. If the token is invalid and use_first_pass is enabled, return

65

-     PAM_IGNORE.

66

+     PAM_IGNORE (or PAM_AUTHERR if require_skey is set).

67

 4. If no_default_skey is enabled, issue a "Password: " prompt.

68

  4a. If the response is anything besides "s/key" (case insensitive),

69

      store it as the authentication token and return PAM_IGNORE.

70

 5. Display the current S/Key challenge and request a response, with

71

-   input not echoed.  If no_default_skey is enabled, this will only be

72

-   an S/Key response request; otherwise, it will request either an

73

-   S/Key response or a system passsword.

74

+   input not echoed.  If no_default_skey or require_skey is enabled,

75

+   this will only be an S/Key response request; otherwise, it will

76

+   request either an S/Key response or a system passsword.

77

  5a. If an empty response is given, request the S/Key response again,

78

      this time with input echoed.

79

  5b. If the response is a valid S/Key response, return PAM_SUCCESS.

80

      Otherwise, return PAM_AUTHERR.

81

 6. If the response is a valid S/Key response, return PAM_SUCCESS.

82

-7. Otherwise, if no_default_skey is enabled (the user specifically

83

-   requested "s/key" authentication), return PAM_AUTHERR.

84

+7. Otherwise, if no_default_skey is enabled (and the user specifically

85

+   requested "s/key" authentication), or if require_skey is enabled,

86

+   return PAM_AUTHERR.

87

 8. Otherwise, store the response as the authentication token and

88

    return PAM_IGNORE.

89

90

--- pam_skey-orig/pam_skey.c

91

+++ pam_skey/pam_skey.c

92

@@ -110,7 +110,7 @@

93

       if (skey_passcheck(username, response) != -1) {

94

 	return PAM_SUCCESS;

95

       } else if (mod_opt & _MOD_USE_FIRST_PASS) {

96

-	return PAM_IGNORE;

97

+	return (mod_opt & _MOD_REQUIRE_SKEY) ? PAM_AUTH_ERR : PAM_IGNORE;

98

}

99

     } else if (mod_opt & _MOD_USE_FIRST_PASS) {

100

       return PAM_AUTHTOK_RECOVER_ERR;

101

@@ -138,7 +138,7 @@

102

     return PAM_AUTHINFO_UNAVAIL;

103

}

104

105

-  if (mod_opt & _MOD_NO_DEFAULT_SKEY)

106

+  if ((mod_opt & _MOD_NO_DEFAULT_SKEY) || (mod_opt & _MOD_REQUIRE_SKEY))

107

     status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response);

108

   else

109

     status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response);

110

@@ -166,7 +166,7 @@

111

     return PAM_SUCCESS;

112

}

113

114

-  if (mod_opt & _MOD_NO_DEFAULT_SKEY) {

115

+  if ((mod_opt & _MOD_NO_DEFAULT_SKEY) || (mod_opt & _MOD_REQUIRE_SKEY)) {

116

     _pam_delete(response);

117

     return PAM_AUTH_ERR;

118

}

119

--- pam_skey-orig/pam_skey.h

120

+++ pam_skey/pam_skey.h

121

@@ -78,13 +78,14 @@

122

 #define _MOD_TRY_FIRST_PASS  0x0002	/* Attempt using PAM_AUTHTOK */

123

 #define _MOD_USE_FIRST_PASS  0x0004	/* Only use PAM_AUTHTOK */

124

 #define _MOD_NO_DEFAULT_SKEY 0x0008	/* Don't use S/Key by default */

125

+#define _MOD_REQUIRE_SKEY    0x0010	/* Require S/Key if set */

126

127

 /* Setup defaults - use echo off only */

128

 #define _MOD_DEFAULT_FLAG   _MOD_NONE_ON

129

 #define _MOD_DEFAULT_MASK   _MOD_ALL_ON

130

131

 /* Number of parameters currently known */

132

-#define _MOD_ARGS           4

133

+#define _MOD_ARGS           5

134

135

 /* Structure for flexible argument parsing */

136

 typedef struct

137

@@ -101,5 +102,6 @@

138

   {"debug",            _MOD_ALL_ON,                   _MOD_DEBUG},

139

   {"try_first_pass",   _MOD_ALL_ON,                   _MOD_TRY_FIRST_PASS},

140

   {"use_first_pass",   _MOD_ALL_ON,                   _MOD_USE_FIRST_PASS},

141

-  {"no_default_skey",  _MOD_ALL_ON,                   _MOD_NO_DEFAULT_SKEY}

142

+  {"no_default_skey",  _MOD_ALL_ON & ~_MOD_REQUIRE_SKEY, _MOD_NO_DEFAULT_SKEY},

143

+  {"require_skey",     _MOD_ALL_ON & ~_MOD_NO_DEFAULT_SKEY, _MOD_REQUIRE_SKEY}

144

};

1	ulm 10/09/08 18:42:38
2
3	Added: 02_all_require_skey.patch
4	Log:
5	Patchset 2, add 02_all_require_skey.patch.
6
7	Revision Changes Path
8	1.1 src/patchsets/pam_skey/1.1.5/02_all_require_skey.patch
9
10	file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/pam_skey/1.1.5/02_all_require_skey.patch?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/pam_skey/1.1.5/02_all_require_skey.patch?rev=1.1&content-type=text/plain
12
13	Index: 02_all_require_skey.patch
14	===================================================================
15	http://bugs.gentoo.org/336449
16	Patch contributed by Jan Sembera <fis@××××.cz>
17
18	In my environment, I'd like to use pam_skey as optional authentication
19	measure that wouldn't replace the password, but would complement it.
20	Ie. when the user sets the S/Key, he should be afterwards asked to
21	provide the S/Key _and_ his password, without the possibility to just
22	enter his password and circumvent S/Keys. On the other hand, when the
23	user doesn't have S/Key set, he should be able to login with his
24	password only.
25
26	Why PAM would generally allow this, with the current internals of
27	pam_skey, this setup isn't possible. You simply cannot distinguish
28	between "user has no S/Key set" case (it returns IGNORE) and "user
29	doesn't want to provide S/Key" (it returns IGNORE as well).
30
31	I'm attaching a patch that will add option require_skey to pam_skey.
32	When this option is set, module will require the user to successfully
33	authenticate using S/key, and will return IGNORE only in case the user
34	didn't set up his key. If this option isn't provided, the behaviour of
35	the module doesn't change.
36
37	--- pam_skey-orig/README
38	+++ pam_skey/README
39	@@ -21,7 +21,7 @@
40	- The options accepted by the pam_skey.so module are different, as
41	described below.
42
43	-Four options are accepted by the pam_skey.so module:
44	+Five options are accepted by the pam_skey.so module:
45	debug - This option turns on debug logging.
46	try_first_pass - This option tells the module to first try using
47	the authentication token passed from the
48	@@ -44,6 +44,12 @@
49	cause the module to pass the given password to the
50	next module in the authentication stack (usually
51	pam_unix.so with the try_first_pass option).
52	+ require_skey - This options tells the module to require S/Key
53	+ authentication if the user has S/Key set. When
54	+ this option is set, it is possible to require both
55	+ S/Key and another authentication method (like
56	+ password) for successful login. This is mutually
57	+ exclusive with no_default_skey.
58
59	The exact behavior of pam_skey.so is detailed below:
60
61	@@ -54,21 +60,22 @@
62	if it is a valid response to the current S/Key challenge. If so,
63	return PAM_SUCCESS.
64	3a. If the token is invalid and use_first_pass is enabled, return
65	- PAM_IGNORE.
66	+ PAM_IGNORE (or PAM_AUTHERR if require_skey is set).
67	4. If no_default_skey is enabled, issue a "Password: " prompt.
68	4a. If the response is anything besides "s/key" (case insensitive),
69	store it as the authentication token and return PAM_IGNORE.
70	5. Display the current S/Key challenge and request a response, with
71	- input not echoed. If no_default_skey is enabled, this will only be
72	- an S/Key response request; otherwise, it will request either an
73	- S/Key response or a system passsword.
74	+ input not echoed. If no_default_skey or require_skey is enabled,
75	+ this will only be an S/Key response request; otherwise, it will
76	+ request either an S/Key response or a system passsword.
77	5a. If an empty response is given, request the S/Key response again,
78	this time with input echoed.
79	5b. If the response is a valid S/Key response, return PAM_SUCCESS.
80	Otherwise, return PAM_AUTHERR.
81	6. If the response is a valid S/Key response, return PAM_SUCCESS.
82	-7. Otherwise, if no_default_skey is enabled (the user specifically
83	- requested "s/key" authentication), return PAM_AUTHERR.
84	+7. Otherwise, if no_default_skey is enabled (and the user specifically
85	+ requested "s/key" authentication), or if require_skey is enabled,
86	+ return PAM_AUTHERR.
87	8. Otherwise, store the response as the authentication token and
88	return PAM_IGNORE.
89
90	--- pam_skey-orig/pam_skey.c
91	+++ pam_skey/pam_skey.c
92	@@ -110,7 +110,7 @@
93	if (skey_passcheck(username, response) != -1) {
94	return PAM_SUCCESS;
95	} else if (mod_opt & _MOD_USE_FIRST_PASS) {
96	- return PAM_IGNORE;
97	+ return (mod_opt & _MOD_REQUIRE_SKEY) ? PAM_AUTH_ERR : PAM_IGNORE;
98	}
99	} else if (mod_opt & _MOD_USE_FIRST_PASS) {
100	return PAM_AUTHTOK_RECOVER_ERR;
101	@@ -138,7 +138,7 @@
102	return PAM_AUTHINFO_UNAVAIL;
103	}
104
105	- if (mod_opt & _MOD_NO_DEFAULT_SKEY)
106	+ if ((mod_opt & _MOD_NO_DEFAULT_SKEY) \|\| (mod_opt & _MOD_REQUIRE_SKEY))
107	status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response);
108	else
109	status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response);
110	@@ -166,7 +166,7 @@
111	return PAM_SUCCESS;
112	}
113
114	- if (mod_opt & _MOD_NO_DEFAULT_SKEY) {
115	+ if ((mod_opt & _MOD_NO_DEFAULT_SKEY) \|\| (mod_opt & _MOD_REQUIRE_SKEY)) {
116	_pam_delete(response);
117	return PAM_AUTH_ERR;
118	}
119	--- pam_skey-orig/pam_skey.h
120	+++ pam_skey/pam_skey.h
121	@@ -78,13 +78,14 @@
122	#define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */
123	#define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */
124	#define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */
125	+#define _MOD_REQUIRE_SKEY 0x0010 /* Require S/Key if set */
126
127	/* Setup defaults - use echo off only */
128	#define _MOD_DEFAULT_FLAG _MOD_NONE_ON
129	#define _MOD_DEFAULT_MASK _MOD_ALL_ON
130
131	/* Number of parameters currently known */
132	-#define _MOD_ARGS 4
133	+#define _MOD_ARGS 5
134
135	/* Structure for flexible argument parsing */
136	typedef struct
137	@@ -101,5 +102,6 @@
138	{"debug", _MOD_ALL_ON, _MOD_DEBUG},
139	{"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS},
140	{"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS},
141	- {"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY}
142	+ {"no_default_skey", _MOD_ALL_ON & ~_MOD_REQUIRE_SKEY, _MOD_NO_DEFAULT_SKEY},
143	+ {"require_skey", _MOD_ALL_ON & ~_MOD_NO_DEFAULT_SKEY, _MOD_REQUIRE_SKEY}
144	};

Gentoo Archives: gentoo-commits