120 lines
3.6 KiB
Diff
120 lines
3.6 KiB
Diff
From 9f4b4ef1b5e1458ca67cff235b655060b27e357b Mon Sep 17 00:00:00 2001
|
|
From: Graham Rogers <graham@rogers.me.uk>
|
|
Date: Sun, 18 Apr 2021 12:22:14 +0100
|
|
Subject: [PATCH 2/2] pam_gdm: Use the last cryptsetup password instead of the
|
|
first
|
|
|
|
---
|
|
pam_gdm/pam_gdm.c | 32 ++++++++++++++++++++++++++------
|
|
1 file changed, 26 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c
|
|
index 767a6c8c..ef77f161 100644
|
|
--- a/pam_gdm/pam_gdm.c
|
|
+++ b/pam_gdm/pam_gdm.c
|
|
@@ -11,75 +11,95 @@
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
*
|
|
*/
|
|
#include <config.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <security/_pam_macros.h>
|
|
#include <security/pam_ext.h>
|
|
#include <security/pam_misc.h>
|
|
#include <security/pam_modules.h>
|
|
#include <security/pam_modutil.h>
|
|
|
|
#ifdef HAVE_KEYUTILS
|
|
#include <keyutils.h>
|
|
#endif
|
|
|
|
int
|
|
pam_sm_authenticate (pam_handle_t *pamh,
|
|
int flags,
|
|
int argc,
|
|
const char **argv)
|
|
{
|
|
#ifdef HAVE_KEYUTILS
|
|
- int r;
|
|
- void *cached_password = NULL;
|
|
+ long r;
|
|
+ size_t cached_passwords_length;
|
|
+ char *cached_passwords = NULL;
|
|
+ char *last_cached_password = NULL;
|
|
key_serial_t serial;
|
|
+ size_t i;
|
|
|
|
serial = find_key_by_type_and_desc ("user", "cryptsetup", 0);
|
|
if (serial == 0)
|
|
return PAM_AUTHINFO_UNAVAIL;
|
|
|
|
- r = keyctl_read_alloc (serial, &cached_password);
|
|
- if (r < 0 || r != strlen (cached_password))
|
|
+ r = keyctl_read_alloc (serial, &cached_passwords);
|
|
+ if (r < 0)
|
|
return PAM_AUTHINFO_UNAVAIL;
|
|
+
|
|
+ cached_passwords_length = r;
|
|
+
|
|
+ /*
|
|
+ Find the last password in the NUL-separated list of passwords.
|
|
+ Multiple passwords are returned either when the user enters an
|
|
+ incorrect password or there are multiple encrypted drives.
|
|
+ In the case of an incorrect password the last one is correct.
|
|
+ In the case of multiple drives, choosing the last drive is as
|
|
+ arbitrary a choice as any other, but choosing the last password at
|
|
+ least supports multiple attempts on the last drive.
|
|
+ */
|
|
+ last_cached_password = cached_passwords;
|
|
+ for (i = 0; i < cached_passwords_length; i++) {
|
|
+ last_cached_password = cached_passwords + i;
|
|
+ i += strlen (last_cached_password);
|
|
+ }
|
|
|
|
- r = pam_set_item (pamh, PAM_AUTHTOK, cached_password);
|
|
+ r = pam_set_item (pamh, PAM_AUTHTOK, last_cached_password);
|
|
|
|
- free (cached_password);
|
|
+ free (cached_passwords);
|
|
|
|
if (r < 0)
|
|
return PAM_AUTH_ERR;
|
|
else
|
|
return PAM_SUCCESS;
|
|
#endif
|
|
|
|
return PAM_AUTHINFO_UNAVAIL;
|
|
}
|
|
|
|
int
|
|
pam_sm_setcred (pam_handle_t *pamh,
|
|
int flags,
|
|
int argc,
|
|
const char **argv)
|
|
{
|
|
return PAM_SUCCESS;
|
|
}
|
|
|
|
int
|
|
pam_sm_acct_mgmt (pam_handle_t *pamh,
|
|
int flags,
|
|
int argc,
|
|
const char **argv)
|
|
{
|
|
return PAM_SUCCESS;
|
|
}
|
|
|
|
int
|
|
pam_sm_chauthtok (pam_handle_t *pamh,
|
|
--
|
|
2.35.1
|
|
|