Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 246462 Details for
Bug 336449
sys-auth/pam_skey: impossible to make S/Key authentication mandatory
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch
pam_skey-add-require-skey.patch (text/plain), 5.06 KB, created by
Jan Sembera
on 2010-09-08 15:04:13 UTC
(
hide
)
Description:
proposed patch
Filename:
MIME Type:
Creator:
Jan Sembera
Created:
2010-09-08 15:04:13 UTC
Size:
5.06 KB
patch
obsolete
>diff -urN pam_skey-1.1.5.orig/README pam_skey-1.1.5/README >--- pam_skey-1.1.5.orig/README 2010-09-08 14:05:08.000000000 +0200 >+++ pam_skey-1.1.5/README 2010-09-08 15:01:56.000000000 +0200 >@@ -21,7 +21,7 @@ > - The options accepted by the pam_skey.so module are different, as > described below. > >-Four options are accepted by the pam_skey.so module: >+Five options are accepted by the pam_skey.so module: > debug - This option turns on debug logging. > try_first_pass - This option tells the module to first try using > the authentication token passed from the >@@ -44,6 +44,12 @@ > cause the module to pass the given password to the > next module in the authentication stack (usually > pam_unix.so with the try_first_pass option). >+ require_skey - This options tells the module to require S/Key >+ authentication if the user has S/Key set. When >+ this option is set, it is possible to require both >+ S/Key and other authentication method (like >+ password) for successful login. This is mutually >+ exclusive with no_default_skey. > > The exact behavior of pam_skey.so is detailed below: > >@@ -54,21 +60,21 @@ > if it is a valid response to the current S/Key challenge. If so, > return PAM_SUCCESS. > 3a. If the token is invalid and use_first_pass is enabled, return >- PAM_IGNORE. >+ PAM_IGNORE (or PAM_AUTHERR if require_skey is set). > 4. If no_default_skey is enabled, issue a "Password: " prompt. > 4a. If the response is anything besides "s/key" (case insensitive), > store it as the authentication token and return PAM_IGNORE. > 5. Display the current S/Key challenge and request a response, with >- input not echoed. If no_default_skey is enabled, this will only be >- an S/Key response request; otherwise, it will request either an >- S/Key response or a system passsword. >+ input not echoed. If no_default_skey or require_skey is enabled, >+ this will only be an S/Key response request; otherwise, it will >+ request either an S/Key response or a system passsword. > 5a. If an empty response is given, request the S/Key response again, > this time with input echoed. > 5b. If the response is a valid S/Key response, return PAM_SUCCESS. > Otherwise, return PAM_AUTHERR. > 6. If the response is a valid S/Key response, return PAM_SUCCESS. >-7. Otherwise, if no_default_skey is enabled (the user specifically >- requested "s/key" authentication), return PAM_AUTHERR. >+7. Otherwise, if no_default_skey or require_skey is enabled (the user >+ specifically requested "s/key" authentication), return PAM_AUTHERR. > 8. Otherwise, store the response as the authentication token and > return PAM_IGNORE. > >diff -urN pam_skey-1.1.5.orig/pam_skey.c pam_skey-1.1.5/pam_skey.c >--- pam_skey-1.1.5.orig/pam_skey.c 2010-09-08 14:05:08.000000000 +0200 >+++ pam_skey-1.1.5/pam_skey.c 2010-09-08 15:46:11.000000000 +0200 >@@ -110,7 +110,11 @@ > if (skey_passcheck(username, response) != -1) { > return PAM_SUCCESS; > } else if (mod_opt & _MOD_USE_FIRST_PASS) { >- return PAM_IGNORE; >+ if (mod_opt & _MOD_REQUIRE_SKEY) { >+ return PAM_AUTH_ERR; >+ } else { >+ return PAM_IGNORE; >+ } > } > } else if (mod_opt & _MOD_USE_FIRST_PASS) { > return PAM_AUTHTOK_RECOVER_ERR; >@@ -138,7 +142,7 @@ > return PAM_AUTHINFO_UNAVAIL; > } > >- if (mod_opt & _MOD_NO_DEFAULT_SKEY) >+ if ((mod_opt & _MOD_NO_DEFAULT_SKEY) || (mod_opt & _MOD_REQUIRE_SKEY)) > status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response); > else > status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response); >@@ -166,7 +170,7 @@ > return PAM_SUCCESS; > } > >- if (mod_opt & _MOD_NO_DEFAULT_SKEY) { >+ if ((mod_opt & _MOD_NO_DEFAULT_SKEY) || (mod_opt & _MOD_REQUIRE_SKEY)) { > _pam_delete(response); > return PAM_AUTH_ERR; > } >diff -urN pam_skey-1.1.5.orig/pam_skey.h pam_skey-1.1.5/pam_skey.h >--- pam_skey-1.1.5.orig/pam_skey.h 2010-09-08 14:05:08.000000000 +0200 >+++ pam_skey-1.1.5/pam_skey.h 2010-09-08 15:47:29.000000000 +0200 >@@ -78,13 +78,14 @@ > #define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */ > #define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */ > #define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */ >+#define _MOD_REQUIRE_SKEY 0x0010 /* Require S/Key if set */ > > /* Setup defaults - use echo off only */ > #define _MOD_DEFAULT_FLAG _MOD_NONE_ON > #define _MOD_DEFAULT_MASK _MOD_ALL_ON > > /* Number of parameters currently known */ >-#define _MOD_ARGS 4 >+#define _MOD_ARGS 5 > > /* Structure for flexible argument parsing */ > typedef struct >@@ -101,5 +102,6 @@ > {"debug", _MOD_ALL_ON, _MOD_DEBUG}, > {"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS}, > {"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS}, >- {"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY} >+ {"no_default_skey", (~_MOD_REQUIRE_SKEY), _MOD_NO_DEFAULT_SKEY}, >+ {"require_skey", (~_MOD_NO_DEFAULT_SKEY), _MOD_REQUIRE_SKEY} > };
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=246462">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 336449
: 246462
