c8a6aadf10
- recognize login session in pam_sepermit to prevent gdm from locking (#969174) - add support for disabling password logging in pam_tty_audit
101 lines
4.1 KiB
Diff
101 lines
4.1 KiB
Diff
diff -up Linux-PAM-1.1.6/configure.in.tty-audit-echo Linux-PAM-1.1.6/configure.in
|
|
--- Linux-PAM-1.1.6/configure.in.tty-audit-echo 2013-08-07 15:41:08.245745447 +0200
|
|
+++ Linux-PAM-1.1.6/configure.in 2013-08-07 18:13:04.358958936 +0200
|
|
@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then
|
|
fi
|
|
if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
|
|
AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
|
|
+
|
|
+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
|
|
+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
|
|
+ [[#include <libaudit.h>]])
|
|
fi
|
|
else
|
|
LIBAUDIT=""
|
|
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml
|
|
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
|
|
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml 2013-08-07 18:08:55.310028229 +0200
|
|
@@ -77,6 +77,19 @@
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
+ <varlistentry>
|
|
+ <term>
|
|
+ <option>log_passwd</option>
|
|
+ </term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
|
|
+ This is the mode in which the tty is placed during password entry.
|
|
+ By default, passwords are not logged. This option may not be
|
|
+ available on older kernels (3.9?).
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
@@ -161,6 +174,8 @@ session required pam_tty_audit.so disabl
|
|
<para>
|
|
pam_tty_audit was written by Miloslav Trmač
|
|
<mitr@redhat.com>.
|
|
+ The log_passwd option was added by Richard Guy Briggs
|
|
+ <rgb@redhat.com>.
|
|
</para>
|
|
</refsect1>
|
|
|
|
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c
|
|
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
|
|
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c 2013-08-07 18:09:29.428694493 +0200
|
|
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
struct audit_tty_status *old_status, new_status;
|
|
const char *user;
|
|
int i, fd, open_only;
|
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
|
+ int log_passwd;
|
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
|
|
|
(void)flags;
|
|
|
|
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
|
|
command = CMD_NONE;
|
|
open_only = 0;
|
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
|
+ log_passwd = 0;
|
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
|
for (i = 0; i < argc; i++)
|
|
{
|
|
if (strncmp (argv[i], "enable=", 7) == 0
|
|
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
}
|
|
else if (strcmp (argv[i], "open_only") == 0)
|
|
open_only = 1;
|
|
+ else if (strcmp (argv[i], "log_passwd") == 0)
|
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
|
+ log_passwd = 1;
|
|
+#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
|
+ pam_syslog (pamh, LOG_WARNING,
|
|
+ "The log_passwd option was not available at compile time.");
|
|
+#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel."
|
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
|
else
|
|
{
|
|
pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
|
|
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
}
|
|
|
|
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
|
|
- if (old_status->enabled == new_status.enabled)
|
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
|
+ new_status.log_passwd = log_passwd;
|
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
|
+ if (old_status->enabled == new_status.enabled
|
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
|
+ && old_status->log_passwd == new_status.log_passwd
|
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
|
+ )
|
|
{
|
|
open_only = 1; /* to clean up old_status */
|
|
goto ok_fd;
|