a9ef7f8676
pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts Drop tallylog and pam_tally documentation pam_faillock: Support local_users_only option pam_lastlog: Do not display failed attempts with PAM_SILENT flag pam_lastlog: Support unlimited option to override fsize limit pam_unix: Log if user authenticated without password pam_tty_audit: Improve manual page Optimize closing fds when spawning helpers Fix duplicate password verification in pam_authtok_verify()
89 lines
2.9 KiB
Diff
89 lines
2.9 KiB
Diff
From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
|
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
Date: Wed, 7 Aug 2019 12:22:55 +0200
|
|
Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification
|
|
|
|
If password was already verified by previous modules in the stack
|
|
it does not need to be verified by pam_get_authtok_verify either.
|
|
|
|
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
|
|
appropriately.
|
|
(pam_get_authtok_verify): Do not prompt if authtok_verified is set and
|
|
set it when the password is verified.
|
|
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
|
|
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
|
|
---
|
|
libpam/pam_get_authtok.c | 10 ++++++++++
|
|
libpam/pam_private.h | 1 +
|
|
libpam/pam_start.c | 1 +
|
|
3 files changed, 12 insertions(+)
|
|
|
|
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
|
|
index 800c6e5..99eb25f 100644
|
|
--- a/libpam/pam_get_authtok.c
|
|
+++ b/libpam/pam_get_authtok.c
|
|
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
|
}
|
|
else if (chpass)
|
|
{
|
|
+ pamh->authtok_verified = 0;
|
|
+
|
|
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
|
|
PROMPT1, authtok_type,
|
|
strlen (authtok_type) > 0?" ":"");
|
|
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
|
if (retval != PAM_SUCCESS)
|
|
return retval;
|
|
|
|
+ if (chpass > 1)
|
|
+ pamh->authtok_verified = 1;
|
|
+
|
|
return pam_get_item(pamh, item, (const void **)authtok);
|
|
}
|
|
|
|
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
|
|
if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
|
|
return PAM_SYSTEM_ERR;
|
|
|
|
+ if (pamh->authtok_verified)
|
|
+ return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
|
|
+
|
|
if (prompt != NULL)
|
|
{
|
|
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
|
|
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
|
|
if (retval != PAM_SUCCESS)
|
|
return retval;
|
|
|
|
+ pamh->authtok_verified = 1;
|
|
+
|
|
return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
|
|
}
|
|
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
|
|
index 7ff9f75..58a26f5 100644
|
|
--- a/libpam/pam_private.h
|
|
+++ b/libpam/pam_private.h
|
|
@@ -172,6 +172,7 @@ struct pam_handle {
|
|
#ifdef HAVE_LIBAUDIT
|
|
int audit_state; /* keep track of reported audit messages */
|
|
#endif
|
|
+ int authtok_verified;
|
|
};
|
|
|
|
/* Values for select arg to _pam_dispatch() */
|
|
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
|
|
index 328416d..e27c64b 100644
|
|
--- a/libpam/pam_start.c
|
|
+++ b/libpam/pam_start.c
|
|
@@ -94,6 +94,7 @@ int pam_start (
|
|
#endif
|
|
(*pamh)->xdisplay = NULL;
|
|
(*pamh)->authtok_type = NULL;
|
|
+ (*pamh)->authtok_verified = 0;
|
|
memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
|
|
|
|
if (((*pamh)->pam_conversation = (struct pam_conv *)
|
|
--
|
|
2.20.1
|
|
|