Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
pam
pam-unix-add-no_pass_expiry-option.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File pam-unix-add-no_pass_expiry-option.patch of Package pam
From 8bb171506fc2579669fd86bd29885f256e26ccb0 Mon Sep 17 00:00:00 2001 From: Tomas Mraz <tmraz@fedoraproject.org> Date: Wed, 17 Feb 2016 14:21:41 +0100 Subject: [PATCH] pam_unix: Add no_pass_expiry option to ignore password expiration. * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry is on and return value data is not set to PAM_SUCCESS then ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the return value data. (pam_sm_setcred): Test for likeauth option and use the return value data only if set. * modules/pam_unix/support.h: Add the no_pass_expiry option. Adapted for version 1.1.8 --- modules/pam_unix/pam_unix.8.xml | 19 +++++++++++++++++++ modules/pam_unix/pam_unix_acct.c | 13 +++++++++++++ modules/pam_unix/pam_unix_auth.c | 20 +++++++++++--------- modules/pam_unix/support.h | 6 ++++-- 4 files changed, 47 insertions(+), 11 deletions(-) diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml index a8b64bb5..6d8e4ba0 100644 --- a/modules/pam_unix/pam_unix.8.xml +++ b/modules/pam_unix/pam_unix.8.xml @@ -364,6 +364,25 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>no_pass_expiry</option> + </term> + <listitem> + <para> + When set ignore password expiration as defined by the + <emphasis>shadow</emphasis> entry of the user. The option has an + effect only in case <emphasis>pam_unix</emphasis> was not used + for the authentication or it returned authentication failure + meaning that other authentication source or method succeeded. + The example can be public key authentication in + <emphasis>sshd</emphasis>. The module will return + <emphasis remap='B'>PAM_SUCCESS</emphasis> instead of eventual + <emphasis remap='B'>PAM_NEW_AUTHTOK_REQD</emphasis> or + <emphasis remap='B'>PAM_AUTHTOK_EXPIRED</emphasis>. + </para> + </listitem> + </varlistentry> </variablelist> <para> Invalid arguments are logged with <citerefentry> diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 27998451..f8b39c91 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -235,6 +235,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) } else retval = check_shadow_expiry(pamh, spent, &daysleft); + if (on(UNIX_NO_PASS_EXPIRY, ctrl)) { + const void *pretval = NULL; + int authrv = PAM_AUTHINFO_UNAVAIL; /* authentication not called */ + + if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS + && pretval) + authrv = *(const int *)pretval; + + if (authrv != PAM_SUCCESS + && (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED)) + retval = PAM_SUCCESS; + } + switch (retval) { case PAM_ACCT_EXPIRED: pam_syslog(pamh, LOG_NOTICE, diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c index 44573e6c..9a547b3a 100644 --- a/modules/pam_unix/pam_unix_auth.c +++ b/modules/pam_unix/pam_unix_auth.c @@ -82,14 +82,13 @@ #define AUTH_RETURN \ do { \ - if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \ + if (ret_data) { \ D(("recording return code for next time [%d]", \ retval)); \ *ret_data = retval; \ pam_set_data(pamh, "unix_setcred_return", \ (void *) ret_data, setcred_free); \ - } else if (ret_data) \ - free (ret_data); \ + } \ D(("done. [%s]", pam_strerror(pamh, retval))); \ return retval; \ } while (0) @@ -115,9 +114,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); /* Get a few bytes so we can pass our return value to - pam_sm_setcred(). */ - if (on(UNIX_LIKE_AUTH, ctrl)) - ret_data = malloc(sizeof(int)); + pam_sm_setcred() and pam_sm_acct_mgmt(). */ + ret_data = malloc(sizeof(int)); /* get the user'name' */ @@ -194,20 +192,24 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) */ int -pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) +pam_sm_setcred (pam_handle_t *pamh, int flags, + int argc, const char **argv) { int retval; const void *pretval = NULL; + unsigned int ctrl; D(("called.")); + ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); + retval = PAM_SUCCESS; D(("recovering return code from auth call")); /* We will only find something here if UNIX_LIKE_AUTH is set -- don't worry about an explicit check of argv. */ - if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS + if (on(UNIX_LIKE_AUTH, ctrl) + && pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS && pretval) { retval = *(const int *)pretval; pam_set_data(pamh, "unix_setcred_return", NULL, NULL); diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index 3729ce0c..b767c265 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -98,8 +98,9 @@ typedef struct { #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ #define UNIX_MIN_PASS_LEN 27 /* min length for password */ -#define UNIX_DES 28 /* DES, default */ +#define UNIX_NO_PASS_EXPIRY 28 /* Don't check for password expiration if not used for authentication */ +#define UNIX_DES 29 /* DES, default */ /* -------------- */ -#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ +#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) @@ -138,5 +139,6 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, +/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, }; -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor