summaryrefslogtreecommitdiff
path: root/debian/patches-applied/055_pam_unix_nullok_secure
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches-applied/055_pam_unix_nullok_secure')
-rw-r--r--debian/patches-applied/055_pam_unix_nullok_secure196
1 files changed, 196 insertions, 0 deletions
diff --git a/debian/patches-applied/055_pam_unix_nullok_secure b/debian/patches-applied/055_pam_unix_nullok_secure
new file mode 100644
index 00000000..98e1909d
--- /dev/null
+++ b/debian/patches-applied/055_pam_unix_nullok_secure
@@ -0,0 +1,196 @@
+Debian patch to add a new 'nullok_secure' option to pam_unix, which
+accepts users with null passwords only when the applicant is connected
+from a tty listed in /etc/securetty.
+
+Authors: Sam Hartman <hartmans@debian.org>,
+ Steve Langasek <vorlon@debian.org>
+
+Upstream status: not yet submitted
+
+Index: Linux-PAM/modules/pam_unix/support.c
+===================================================================
+--- Linux-PAM/modules/pam_unix/support.c.orig
++++ Linux-PAM/modules/pam_unix/support.c
+@@ -87,15 +87,22 @@
+ /* now parse the arguments to this module */
+
+ while (argc-- > 0) {
+- int j;
++ int j, sl;
+
+ D(("pam_unix arg: %s", *argv));
+
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+- if (unix_args[j].token
+- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token)))
+- {
+- break;
++ if (unix_args[j].token) {
++ sl = strlen(unix_args[j].token);
++ if (unix_args[j].token[sl-1] == '=') {
++ /* exclude argument from comparison */
++ if (!strncmp(*argv, unix_args[j].token, sl))
++ break;
++ } else {
++ /* compare full strings */
++ if (!strcmp(*argv, unix_args[j].token))
++ break;
++ }
+ }
+ }
+
+@@ -472,6 +479,17 @@
+ if (salt)
+ _pam_delete(salt);
+
++ if ((retval == 1) && on(UNIX_NULLOK_SECURE, ctrl)) {
++ int retval2;
++ const void *uttyname;
++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname);
++ if (retval2 != PAM_SUCCESS || uttyname == NULL)
++ return 0;
++
++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
++ return 0;
++ }
++
+ return retval;
+ }
+
+@@ -692,7 +710,7 @@
+ int salt_len = strlen(salt);
+ if (!salt_len) {
+ /* the stored password is NULL */
+- if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
++ if (_unix_blankpasswd(pamh, ctrl, name)) {/* this means we've succeeded */
+ D(("user has empty password - access granted"));
+ retval = PAM_SUCCESS;
+ } else {
+Index: Linux-PAM/modules/pam_unix/support.h
+===================================================================
+--- Linux-PAM/modules/pam_unix/support.h.orig
++++ Linux-PAM/modules/pam_unix/support.h
+@@ -87,8 +87,9 @@
+ #define UNIX_MAX_PASS_LEN 23 /* internal, for compatibility only */
+ #define UNIX_MIN_PASS_LEN 24 /* Min length for password */
+ #define UNIX_OBSCURE_CHECKS 25 /* enable obscure checks on passwords */
++#define UNIX_NULLOK_SECURE 26 /* NULL passwords allowed only on secure ttys */
+ /* -------------- */
+-#define UNIX_CTRLS_ 26 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 27 /* number of ctrl arguments defined */
+
+
+ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
+@@ -105,7 +106,7 @@
+ /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40},
+ /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80},
+ /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100},
+-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200},
++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x1000000), 0x200},
+ /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400},
+ /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800},
+ /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000},
+@@ -122,6 +123,7 @@
+ /* UNIX_MAX_PASS_LEN */ {"max=", _ALL_ON_, 0},
+ /* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x400000},
+ /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x800000},
++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x1000000},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
+@@ -157,6 +159,9 @@
+ ,const void **pass);
+ extern int _unix_shadowed(const struct passwd *pwd);
+
++extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
++ const char *uttyname);
++
+ extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user);
+
+ extern unsigned int pass_min_len;
+Index: Linux-PAM/modules/pam_unix/Makefile.am
+===================================================================
+--- Linux-PAM/modules/pam_unix/Makefile.am.orig
++++ Linux-PAM/modules/pam_unix/Makefile.am
+@@ -44,6 +44,9 @@
+ pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \
+ yppasswd_xdr.c md5_good.c md5_broken.c obscure.c
+
++pam_unix_la_LIBADD = \
++ ../pam_securetty/tty_secure.lo
++
+ bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c
+ bigcrypt_CFLAGS = $(AM_CFLAGS)
+ bigcrypt_LDFLAGS = @LIBCRYPT@
+Index: Linux-PAM/modules/pam_unix/README
+===================================================================
+--- Linux-PAM/modules/pam_unix/README.orig
++++ Linux-PAM/modules/pam_unix/README
+@@ -57,7 +57,16 @@
+
+ The default action of this module is to not permit the user access to a
+ service if their official password is blank. The nullok argument overrides
+- this default.
++ this default and allows any user with a blank password to access the
++ service.
++
++nullok_secure
++
++ The default action of this module is to not permit the user access to a
++ service if their official password is blank. The nullok_secure argument
++ overrides this default and allows any user with a blank password to access
++ the service as long as the value of PAM_TTY is set to one of the values
++ found in /etc/securetty.
+
+ try_first_pass
+
+Index: Linux-PAM/modules/pam_unix/pam_unix.8
+===================================================================
+--- Linux-PAM/modules/pam_unix/pam_unix.8.orig
++++ Linux-PAM/modules/pam_unix/pam_unix.8
+@@ -62,7 +62,14 @@
+ .RS 4
+ The default action of this module is to not permit the user access to a service if their official password is blank\. The
+ \fBnullok\fR
+-argument overrides this default\.
++argument overrides this default and allows any user with a blank password to access the service\.
++.RE
++.PP
++\fBnullok_secure\fR
++.RS 4
++The default action of this module is to not permit the user access to a service if their official password is blank\. The
++\fBnullok_secure\fR
++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\.
+ .RE
+ .PP
+ \fBtry_first_pass\fR
+Index: Linux-PAM/modules/pam_unix/pam_unix.8.xml
+===================================================================
+--- Linux-PAM/modules/pam_unix/pam_unix.8.xml.orig
++++ Linux-PAM/modules/pam_unix/pam_unix.8.xml
+@@ -135,7 +135,24 @@
+ <para>
+ The default action of this module is to not permit the
+ user access to a service if their official password is blank.
+- The <option>nullok</option> argument overrides this default.
++ The <option>nullok</option> argument overrides this default
++ and allows any user with a blank password to access the
++ service.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>nullok_secure</option>
++ </term>
++ <listitem>
++ <para>
++ The default action of this module is to not permit the
++ user access to a service if their official password is blank.
++ The <option>nullok_secure</option> argument overrides this
++ default and allows any user with a blank password to access
++ the service as long as the value of PAM_TTY is set to one of
++ the values found in /etc/securetty.
+ </para>
+ </listitem>
+ </varlistentry>