Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
openssh.17033
openssh-7.7p1-pam_check_locks.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssh-7.7p1-pam_check_locks.patch of Package openssh.17033
# HG changeset patch # Parent 089f4fba0112d410a1bfa74398941f076681d446 new option UsePAMCheckLocks to enforce checking for locked accounts while UsePAM is used bnc#708678, FATE#312033 Index: openssh-7.8p1/auth.c =================================================================== --- openssh-7.8p1.orig/auth.c +++ openssh-7.8p1/auth.c @@ -112,7 +112,7 @@ allowed_user(struct passwd * pw) return 0; #ifdef USE_SHADOW - if (!options.use_pam) + if (!options.use_pam || options.use_pam_check_locks) spw = getspnam(pw->pw_name); #ifdef HAS_SHADOW_EXPIRE if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) @@ -132,7 +132,7 @@ allowed_user(struct passwd * pw) #endif /* check for locked account */ - if (!options.use_pam && passwd && *passwd) { + if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) { int locked = 0; #ifdef LOCKED_PASSWD_STRING Index: openssh-7.8p1/servconf.c =================================================================== --- openssh-7.8p1.orig/servconf.c +++ openssh-7.8p1/servconf.c @@ -83,6 +83,7 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; + options->use_pam_check_locks = -1; /* Standard Options */ options->num_ports = 0; @@ -259,6 +260,8 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; + if (options->use_pam_check_locks == -1) + options->use_pam_check_locks = 0; /* Standard Options */ if (options->num_host_key_files == 0) { @@ -459,7 +462,7 @@ fill_default_server_options(ServerOption typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ - sUsePAM, + sUsePAM, sUsePAMChecklocks, /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, @@ -509,8 +512,10 @@ static struct { /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL }, #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL }, #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ @@ -1250,6 +1255,9 @@ process_server_config_line(ServerOptions case sUsePAM: intptr = &options->use_pam; goto parse_flag; + case sUsePAMChecklocks: + intptr = &options->use_pam_check_locks; + goto parse_flag; /* Standard Options */ case sBadOption: Index: openssh-7.8p1/servconf.h =================================================================== --- openssh-7.8p1.orig/servconf.h +++ openssh-7.8p1/servconf.h @@ -181,6 +181,7 @@ typedef struct { char *adm_forced_command; int use_pam; /* Enable auth via PAM */ + int use_pam_check_locks; /* internally check for locked accounts even when using PAM */ int permit_tun; Index: openssh-7.8p1/sshd_config.0 =================================================================== --- openssh-7.8p1.orig/sshd_config.0 +++ openssh-7.8p1/sshd_config.0 @@ -961,6 +961,14 @@ DESCRIPTION If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is no. + UsePAMCheckLocks + When set to ``yes'', the checks whether the account has been + locked with `passwd -l' are performed even when PAM authentication + is enabled via UsePAM. This is to ensure that it is not possible + to log in with e.g. a public key (in such a case PAM is used only + to set up the session and some PAM modules will not check whether + the account is locked in this scenario). The default is ``no''. + VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default Index: openssh-7.8p1/sshd_config.5 =================================================================== --- openssh-7.8p1.orig/sshd_config.5 +++ openssh-7.8p1/sshd_config.5 @@ -1613,6 +1613,18 @@ is enabled, you will not be able to run as a non-root user. The default is .Cm no . +.It Cm UsePAMCheckLocks +When set to +.Dq yes +, the checks whether the account has been locked with +.Pa passwd -l +are performed even when PAM authentication is enabled via +.Cm UsePAM . +This is to ensure that it is not possible to log in with e.g. a +public key (in such a case PAM is used only to set up the session and some PAM +modules will not check whether the account is locked in this scenario). The +default is +.Dq no . .It Cm VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor