diff options
| author | Richard Guy Briggs <rgb@redhat.com> | 2013-06-21 08:29:00 -0400 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@altlinux.org> | 2013-06-21 21:36:20 +0000 |
| commit | 333686501468f66160c8eb50ae23f1dc08b82e12 (patch) | |
| tree | a6adc46e5ecddac9bea683f4b0ffb0db6621978f /modules/pam_tty_audit | |
| parent | 43a69398c33f8580c5925953fa7ee561666d8e33 (diff) | |
pam_tty_audit: add an option to control logging of passwords: log_passwd
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode with echo set to off to do this. This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command. Adding a member to the struct audit_tty_status passed in
by pam_tty_audit allows control of logging passwords per task.
* configure.in: autoconf bits to conditionally add support at compile time
depending on struct audit_tty_status kernel header version.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
log_passwd option.
* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
"log_passwd" option parsing.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Diffstat (limited to 'modules/pam_tty_audit')
| -rw-r--r-- | modules/pam_tty_audit/pam_tty_audit.8.xml | 15 | ||||
| -rw-r--r-- | modules/pam_tty_audit/pam_tty_audit.c | 23 |
2 files changed, 37 insertions, 1 deletions
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 447b8454..552353ce 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -77,6 +77,19 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>log_passwd</option> + </term> + <listitem> + <para> + Log keystrokes when ECHO mode is off but ICANON mode is active. + This is the mode in which the tty is placed during password entry. + By default, passwords are not logged. This option may not be + available on older kernels (3.9?). + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> @@ -161,6 +174,8 @@ session required pam_tty_audit.so disable=* enable=root <para> pam_tty_audit was written by Miloslav Trmač <mitr@redhat.com>. + The log_passwd option was added by Richard Guy Briggs + <rgb@redhat.com>. </para> </refsect1> diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 080f4950..a3b590db 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) struct audit_tty_status *old_status, new_status; const char *user; int i, fd, open_only; +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + int log_passwd; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ (void)flags; @@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) command = CMD_NONE; open_only = 0; +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + log_passwd = 0; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ for (i = 0; i < argc; i++) { if (strncmp (argv[i], "enable=", 7) == 0 @@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } else if (strcmp (argv[i], "open_only") == 0) open_only = 1; + else if (strcmp (argv[i], "log_passwd") == 0) +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + log_passwd = 1; +#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + pam_syslog (pamh, LOG_WARNING, + "The log_passwd option was not available at compile time."); +#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel." +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ else { pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); @@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } new_status.enabled = (command == CMD_ENABLE ? 1 : 0); - if (old_status->enabled == new_status.enabled) +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + new_status.log_passwd = log_passwd; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + if (old_status->enabled == new_status.enabled +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + && old_status->log_passwd == new_status.log_passwd +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + ) { open_only = 1; /* to clean up old_status */ goto ok_fd; |