Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
openssh.32839
openssh-7.2p2-pam_check_locks.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssh-7.2p2-pam_check_locks.patch of Package openssh.32839
From 9cf0d040450e42746d727eb5b3d293bb8fddebf8 Mon Sep 17 00:00:00 2001 From: Old openssh patches <pcerny@suse.com> Date: Tue, 25 Oct 2022 18:53:18 +0200 Subject: [PATCH] openssh-7.2p2-pam_check_locks # HG changeset patch # Parent ac7f843cd7ebec413691d51823cdc67b611abdff new option UsePAMCheckLocks to enforce checking for locked accounts while UsePAM is used bnc#708678, FATE#312033 --- auth.c | 4 ++-- servconf.c | 10 +++++++++- servconf.h | 1 + sshd_config.0 | 8 ++++++++ sshd_config.5 | 12 ++++++++++++ 5 files changed, 32 insertions(+), 3 deletions(-) diff --git a/auth.c b/auth.c index 214c2c70..407f8ece 100644 --- a/auth.c +++ b/auth.c @@ -109,7 +109,7 @@ allowed_user(struct passwd * pw) return 0; #ifdef USE_SHADOW - if (!options.use_pam) + if (!options.use_pam || options.use_pam_check_locks) spw = getspnam(pw->pw_name); #ifdef HAS_SHADOW_EXPIRE if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) @@ -129,7 +129,7 @@ allowed_user(struct passwd * pw) #endif /* check for locked account */ - if (!options.use_pam && passwd && *passwd) { + if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) { int locked = 0; #ifdef LOCKED_PASSWD_STRING diff --git a/servconf.c b/servconf.c index 5b16c32a..cb1d93f9 100644 --- a/servconf.c +++ b/servconf.c @@ -74,6 +74,7 @@ initialize_server_options(ServerOptions *options) /* Portable-specific options */ options->use_pam = -1; + options->use_pam_check_locks = -1; /* Standard Options */ options->num_ports = 0; @@ -200,6 +201,8 @@ fill_default_server_options(ServerOptions *options) /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; + if (options->use_pam_check_locks == -1) + options->use_pam_check_locks = 0; /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) @@ -396,7 +399,7 @@ fill_default_server_options(ServerOptions *options) typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ - sUsePAM, + sUsePAM, sUsePAMChecklocks, /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, @@ -446,8 +449,10 @@ static struct { /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL }, #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL }, #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ @@ -1010,6 +1015,9 @@ process_server_config_line(ServerOptions *options, char *line, case sUsePAM: intptr = &options->use_pam; goto parse_flag; + case sUsePAMChecklocks: + intptr = &options->use_pam_check_locks; + goto parse_flag; /* Standard Options */ case sBadOption: diff --git a/servconf.h b/servconf.h index f4137af7..92f8f365 100644 --- a/servconf.h +++ b/servconf.h @@ -172,6 +172,7 @@ typedef struct { char *adm_forced_command; int use_pam; /* Enable auth via PAM */ + int use_pam_check_locks; /* internally check for locked accounts even when using PAM */ int permit_tun; diff --git a/sshd_config.0 b/sshd_config.0 index 7b5b29ed..5d664bab 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -951,6 +951,14 @@ DESCRIPTION If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^]. + UsePAMCheckLocks + When set to ``yes'', the checks whether the account has been + locked with `passwd -l' are performed even when PAM authentication + is enabled via UsePAM. This is to ensure that it is not possible + to log in with e.g. a public key (in such a case PAM is used only + to set up the session and some PAM modules will not check whether + the account is locked in this scenario). The default is ``no''. + UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. diff --git a/sshd_config.5 b/sshd_config.5 index 0d8e5267..d819d9c2 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1583,6 +1583,18 @@ is enabled, you will not be able to run as a non-root user. The default is .Dq no . +.It Cm UsePAMCheckLocks +When set to +.Dq yes +, the checks whether the account has been locked with +.Pa passwd -l +are performed even when PAM authentication is enabled via +.Cm UsePAM . +This is to ensure that it is not possible to log in with e.g. a +public key (in such a case PAM is used only to set up the session and some PAM +modules will not check whether the account is locked in this scenario). The +default is +.Dq no . .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -- 2.38.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor