diff options
author | yar <yar@FreeBSD.org> | 2007-03-27 09:59:15 +0000 |
---|---|---|
committer | yar <yar@FreeBSD.org> | 2007-03-27 09:59:15 +0000 |
commit | e8ee34e14226896a922a31df367fb5c72d0febe3 (patch) | |
tree | 427ce73f6ee77fa20372e0a14caeaedf10ba0ae9 | |
parent | ecbefa2cc582770cbe525b558380fa91de7c1790 (diff) | |
download | FreeBSD-src-e8ee34e14226896a922a31df367fb5c72d0febe3.zip FreeBSD-src-e8ee34e14226896a922a31df367fb5c72d0febe3.tar.gz |
In account management, verify whether the account has been locked
with `pw lock', so that it's impossible to log into a locked account
using an alternative authentication mechanism, such as an ssh key.
This change affects only accounts locked with pw(8), i.e., having a
`*LOCKED*' prefix in their password hash field, so people still can
use a different pattern to disable password authentication only.
Mention all account management criteria in the manpage.
Approved by: maintainer (timeout)
PR: bin/71147
MFC after: 1 month
-rw-r--r-- | lib/libpam/modules/pam_unix/pam_unix.8 | 19 | ||||
-rw-r--r-- | lib/libpam/modules/pam_unix/pam_unix.c | 6 |
2 files changed, 22 insertions, 3 deletions
diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8 index 8d1c8b9..60667e6 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.8 +++ b/lib/libpam/modules/pam_unix/pam_unix.8 @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 12, 2006 +.Dd March 27, 2007 .Dt PAM_UNIX 8 .Os .Sh NAME @@ -142,8 +142,20 @@ provides a function to perform account management, .Fn pam_sm_acct_mgmt . The function verifies that the authenticated user -is allowed to login to the local user account -by checking the password expiry date. +is allowed to log into the local user account +by checking the following criteria: +.Bl -dash -offset indent +.It +locked status of the account compatible with +.Xr pw 8 +.Cm lock ; +.It +the password expiry date from +.Xr passwd 5 ; +.It +.Xr login.conf 5 +restrictions on the remote host, login time, and tty. +.El .Pp The following options may be passed to the management module: .Bl -tag -width ".Cm use_first_pass" @@ -199,4 +211,5 @@ password database. .Xr nsswitch.conf 5 , .Xr passwd 5 , .Xr pam 8 , +.Xr pw 8 , .Xr yp 8 diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index 26084ec..46b5f47 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -70,6 +70,9 @@ __FBSDID("$FreeBSD$"); #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ #define SALTSIZE 32 +#define LOCKED_PREFIX "*LOCKED*" +#define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1) + static void makesalt(char []); static char password_hash[] = PASSWORD_HASH; @@ -176,6 +179,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) return (PAM_NEW_AUTHTOK_REQD); + if (strncmp(pwd->pw_passwd, LOCKED_PREFIX, LOCKED_PREFIX_LEN) == 0) + return (PAM_AUTH_ERR); + lc = login_getpwclass(pwd); if (lc == NULL) { PAM_LOG("Unable to get login class for user %s", user); |