From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 716A91399E6 for ; Fri, 4 Sep 2015 08:30:06 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 229BC14281; Fri, 4 Sep 2015 08:29:55 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 63A86E07E2 for ; Fri, 4 Sep 2015 08:29:53 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7680C340948 for ; Fri, 4 Sep 2015 08:29:52 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 990A718A for ; Fri, 4 Sep 2015 08:29:49 +0000 (UTC) From: "Ulrich Müller" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Ulrich Müller" Message-ID: <1283971358.295467f44f529af7472811397576672569922b02.ulm@gentoo> Subject: [gentoo-commits] dev/ulm:master commit in: patchsets/pam_skey/1.1.5/ X-VCS-Repository: dev/ulm X-VCS-Files: patchsets/pam_skey/1.1.5/02_all_require_skey.patch X-VCS-Directories: patchsets/pam_skey/1.1.5/ X-VCS-Committer: ulm X-VCS-Committer-Name: Ulrich Müller X-VCS-Revision: 295467f44f529af7472811397576672569922b02 X-VCS-Branch: master Date: Fri, 4 Sep 2015 08:29:49 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 6c95c63a-4677-4384-b330-504f405813e1 X-Archives-Hash: 67c511cee3ba42d3e77b4ed78524fc71 Message-ID: <20150904082949.rd3KaSiqHSi3VcRYU3jF0W4VGKxbblBU-FKanhZjnfI@z> commit: 295467f44f529af7472811397576672569922b02 Author: Ulrich Müller gentoo org> AuthorDate: Wed Sep 8 18:42:38 2010 +0000 Commit: Ulrich Müller gentoo org> CommitDate: Wed Sep 8 18:42:38 2010 +0000 URL: https://gitweb.gentoo.org/dev/ulm.git/commit/?id=295467f4 Patchset 2, add 02_all_require_skey.patch. patchsets/pam_skey/1.1.5/02_all_require_skey.patch | 130 +++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/patchsets/pam_skey/1.1.5/02_all_require_skey.patch b/patchsets/pam_skey/1.1.5/02_all_require_skey.patch new file mode 100644 index 0000000..3eab29d --- /dev/null +++ b/patchsets/pam_skey/1.1.5/02_all_require_skey.patch @@ -0,0 +1,130 @@ +http://bugs.gentoo.org/336449 +Patch contributed by Jan Sembera + +In my environment, I'd like to use pam_skey as optional authentication +measure that wouldn't replace the password, but would complement it. +Ie. when the user sets the S/Key, he should be afterwards asked to +provide the S/Key _and_ his password, without the possibility to just +enter his password and circumvent S/Keys. On the other hand, when the +user doesn't have S/Key set, he should be able to login with his +password only. + +Why PAM would generally allow this, with the current internals of +pam_skey, this setup isn't possible. You simply cannot distinguish +between "user has no S/Key set" case (it returns IGNORE) and "user +doesn't want to provide S/Key" (it returns IGNORE as well). + +I'm attaching a patch that will add option require_skey to pam_skey. +When this option is set, module will require the user to successfully +authenticate using S/key, and will return IGNORE only in case the user +didn't set up his key. If this option isn't provided, the behaviour of +the module doesn't change. + +--- pam_skey-orig/README ++++ pam_skey/README +@@ -21,7 +21,7 @@ + - The options accepted by the pam_skey.so module are different, as + described below. + +-Four options are accepted by the pam_skey.so module: ++Five options are accepted by the pam_skey.so module: + debug - This option turns on debug logging. + try_first_pass - This option tells the module to first try using + the authentication token passed from the +@@ -44,6 +44,12 @@ + cause the module to pass the given password to the + next module in the authentication stack (usually + pam_unix.so with the try_first_pass option). ++ require_skey - This options tells the module to require S/Key ++ authentication if the user has S/Key set. When ++ this option is set, it is possible to require both ++ S/Key and another authentication method (like ++ password) for successful login. This is mutually ++ exclusive with no_default_skey. + + The exact behavior of pam_skey.so is detailed below: + +@@ -54,21 +60,22 @@ + if it is a valid response to the current S/Key challenge. If so, + return PAM_SUCCESS. + 3a. If the token is invalid and use_first_pass is enabled, return +- PAM_IGNORE. ++ PAM_IGNORE (or PAM_AUTHERR if require_skey is set). + 4. If no_default_skey is enabled, issue a "Password: " prompt. + 4a. If the response is anything besides "s/key" (case insensitive), + store it as the authentication token and return PAM_IGNORE. + 5. Display the current S/Key challenge and request a response, with +- input not echoed. If no_default_skey is enabled, this will only be +- an S/Key response request; otherwise, it will request either an +- S/Key response or a system passsword. ++ input not echoed. If no_default_skey or require_skey is enabled, ++ this will only be an S/Key response request; otherwise, it will ++ request either an S/Key response or a system passsword. + 5a. If an empty response is given, request the S/Key response again, + this time with input echoed. + 5b. If the response is a valid S/Key response, return PAM_SUCCESS. + Otherwise, return PAM_AUTHERR. + 6. If the response is a valid S/Key response, return PAM_SUCCESS. +-7. Otherwise, if no_default_skey is enabled (the user specifically +- requested "s/key" authentication), return PAM_AUTHERR. ++7. Otherwise, if no_default_skey is enabled (and the user specifically ++ requested "s/key" authentication), or if require_skey is enabled, ++ return PAM_AUTHERR. + 8. Otherwise, store the response as the authentication token and + return PAM_IGNORE. + +--- pam_skey-orig/pam_skey.c ++++ pam_skey/pam_skey.c +@@ -110,7 +110,7 @@ + if (skey_passcheck(username, response) != -1) { + return PAM_SUCCESS; + } else if (mod_opt & _MOD_USE_FIRST_PASS) { +- return PAM_IGNORE; ++ return (mod_opt & _MOD_REQUIRE_SKEY) ? PAM_AUTH_ERR : PAM_IGNORE; + } + } else if (mod_opt & _MOD_USE_FIRST_PASS) { + return PAM_AUTHTOK_RECOVER_ERR; +@@ -138,7 +138,7 @@ + return PAM_AUTHINFO_UNAVAIL; + } + +- if (mod_opt & _MOD_NO_DEFAULT_SKEY) ++ if ((mod_opt & _MOD_NO_DEFAULT_SKEY) || (mod_opt & _MOD_REQUIRE_SKEY)) + status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response); + else + status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response); +@@ -166,7 +166,7 @@ + return PAM_SUCCESS; + } + +- if (mod_opt & _MOD_NO_DEFAULT_SKEY) { ++ if ((mod_opt & _MOD_NO_DEFAULT_SKEY) || (mod_opt & _MOD_REQUIRE_SKEY)) { + _pam_delete(response); + return PAM_AUTH_ERR; + } +--- pam_skey-orig/pam_skey.h ++++ pam_skey/pam_skey.h +@@ -78,13 +78,14 @@ + #define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */ + #define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */ + #define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */ ++#define _MOD_REQUIRE_SKEY 0x0010 /* Require S/Key if set */ + + /* Setup defaults - use echo off only */ + #define _MOD_DEFAULT_FLAG _MOD_NONE_ON + #define _MOD_DEFAULT_MASK _MOD_ALL_ON + + /* Number of parameters currently known */ +-#define _MOD_ARGS 4 ++#define _MOD_ARGS 5 + + /* Structure for flexible argument parsing */ + typedef struct +@@ -101,5 +102,6 @@ + {"debug", _MOD_ALL_ON, _MOD_DEBUG}, + {"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS}, + {"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS}, +- {"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY} ++ {"no_default_skey", _MOD_ALL_ON & ~_MOD_REQUIRE_SKEY, _MOD_NO_DEFAULT_SKEY}, ++ {"require_skey", _MOD_ALL_ON & ~_MOD_NO_DEFAULT_SKEY, _MOD_REQUIRE_SKEY} + };