diff options
author | Daniel Harding <dharding@living180.net> | 2022-05-13 14:25:02 +0300 |
---|---|---|
committer | Sam James <sam@gentoo.org> | 2023-12-17 12:45:22 +0000 |
commit | a125db180b5f9325cdabd90d17477090fbba95e5 (patch) | |
tree | 335474ec1e97d0dbb5b36cb16824a506a6f024d3 /templates | |
parent | Add README.md (diff) | |
download | pambase-a125db180b5f9325cdabd90d17477090fbba95e5.tar.gz pambase-a125db180b5f9325cdabd90d17477090fbba95e5.tar.bz2 pambase-a125db180b5f9325cdabd90d17477090fbba95e5.zip |
Honor pam_unix.so return value
Commit eb138196aa2d3cb860d5eb5ab1d05985df34ad2c changed the return value
of pam_authenticate() for the case when the user enters an incorrect
password. Prior to that change pam_authenticate() would return
PAM_AUTH_ERR for an incorrect password, while after it would return
PAM_PERM_DENIED.
The root cause is that after that change, nothing in the stack before
the final pam_faillock.so auth entry is setting `impression` in
_pam_dispatch_aux(). If the user has not reached the maximum number of
tries, pam_faillock.so returns PAM_IGNORE [1] and thus
_pam_dispatch_aux() sets `status` to PAM_MUST_FAIL_CODE [2], which is
defined to be PAM_PERM_DENIED [3]. This ends up being the return value
for pam_authenticate().
This commit addresses the problem by changing the `default` control
action for the pam_unix.so auth entry from `ignore` to `bad` (the same
as when its control value was `required`). Thus when processing the
pam_unix.so entry, _pam_dispatch_aux() will set `impression` to
_PAM_NEGATIVE and `status` to the return value of pam_unix.so,
PAM_AUTH_ERR [4]. _pam_dispatch_aux() will then continue to the final
pam_faillock.so auth entry. Because `impression` is now _PAM_NEGATIVE,
_pam_dispatch_aux() will not change the value of `status` and the return
value of pam_authenticate() is PAM_AUTH_ERR as desired.
Also ensure that `new_authtok_reqd` is handled correctly when returned
from from pam_unix.so.
[1] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/modules/pam_faillock/pam_faillock.c#L712
[2] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L244
[3] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L17
[4] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L246
Signed-off-by: Daniel Harding <dharding@living180.net>
Closes: https://github.com/gentoo/pambase/pull/10
Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'templates')
-rw-r--r-- | templates/system-auth.tpl | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 9739b6f..9b078f3 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -11,7 +11,7 @@ auth requisite pam_faillock.so preauth {% if homed %} auth [success=2 default=ignore] pam_systemd_home.so {% endif %} -auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail {% if caps %} |