aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Harding <dharding@living180.net>2022-05-13 14:25:02 +0300
committerSam James <sam@gentoo.org>2023-12-17 12:45:22 +0000
commita125db180b5f9325cdabd90d17477090fbba95e5 (patch)
tree335474ec1e97d0dbb5b36cb16824a506a6f024d3 /templates
parentAdd README.md (diff)
downloadpambase-a125db180b5f9325cdabd90d17477090fbba95e5.tar.gz
pambase-a125db180b5f9325cdabd90d17477090fbba95e5.tar.bz2
pambase-a125db180b5f9325cdabd90d17477090fbba95e5.zip
Honor pam_unix.so return value
Commit eb138196aa2d3cb860d5eb5ab1d05985df34ad2c changed the return value of pam_authenticate() for the case when the user enters an incorrect password. Prior to that change pam_authenticate() would return PAM_AUTH_ERR for an incorrect password, while after it would return PAM_PERM_DENIED. The root cause is that after that change, nothing in the stack before the final pam_faillock.so auth entry is setting `impression` in _pam_dispatch_aux(). If the user has not reached the maximum number of tries, pam_faillock.so returns PAM_IGNORE [1] and thus _pam_dispatch_aux() sets `status` to PAM_MUST_FAIL_CODE [2], which is defined to be PAM_PERM_DENIED [3]. This ends up being the return value for pam_authenticate(). This commit addresses the problem by changing the `default` control action for the pam_unix.so auth entry from `ignore` to `bad` (the same as when its control value was `required`). Thus when processing the pam_unix.so entry, _pam_dispatch_aux() will set `impression` to _PAM_NEGATIVE and `status` to the return value of pam_unix.so, PAM_AUTH_ERR [4]. _pam_dispatch_aux() will then continue to the final pam_faillock.so auth entry. Because `impression` is now _PAM_NEGATIVE, _pam_dispatch_aux() will not change the value of `status` and the return value of pam_authenticate() is PAM_AUTH_ERR as desired. Also ensure that `new_authtok_reqd` is handled correctly when returned from from pam_unix.so. [1] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/modules/pam_faillock/pam_faillock.c#L712 [2] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L244 [3] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L17 [4] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L246 Signed-off-by: Daniel Harding <dharding@living180.net> Closes: https://github.com/gentoo/pambase/pull/10 Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'templates')
-rw-r--r--templates/system-auth.tpl2
1 files changed, 1 insertions, 1 deletions
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 9739b6f..9b078f3 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -11,7 +11,7 @@ auth requisite pam_faillock.so preauth
{% if homed %}
auth [success=2 default=ignore] pam_systemd_home.so
{% endif %}
-auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
auth [default=die] pam_faillock.so authfail
{% if caps %}