[kbd] [PATCH 1/3] vlock: implement PAM account and password management

Dmitry V. Levin ldv at altlinux.org
Mon Nov 25 01:48:12 MSK 2013


There seems to be a tradition for lockers to implement PAM account and
password management (account validation, changing expired passwords,
refreshing credentials) like login programs do.

Note that vlock may or may not need extra credentials to do account
and password management depending on the authentication scheme in use.

For example, in case of the tcb password shadowing scheme implemented
by pam_tcb, to authenticate the user, vlock should be installed as a
SGID-chkpwd executable to access tcb_chkpwd helper (which in turn is
usually installed as a more privileged SGID-shadow executable).  To
perform account and password management, vlock should be installed as
a SGID-shadow executable itself (like passwd utility with the tcb
password shadowing scheme).

In case of the traditional password shadowing scheme implemented by
pam_unix, vlock needs no extra privileges to authenticate the user
(because of no restrictions to access unix_chkpwd helper), but should
be installed as a SUID-root executable to perform account and password
management (like passwd utility with the traditional password
shadowing scheme).

Fixes RH#913311.
---
 src/vlock/auth.c     | 38 +++++++++++++++++++++++++++++++++++++-
 src/vlock/vlock.pamd |  2 ++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/vlock/auth.c b/src/vlock/auth.c
index 71c8f15..cac877c 100644
--- a/src/vlock/auth.c
+++ b/src/vlock/auth.c
@@ -4,7 +4,7 @@
   PAM authentication routine for vlock, the VT locking program for linux.
 
   Copyright (C) 1994-1998 Michael K. Johnson <johnsonm at redhat.com>
-  Copyright (C) 2002, 2005 Dmitry V. Levin <ldv at altlinux.org>
+  Copyright (C) 2002, 2005, 2013 Dmitry V. Levin <ldv at altlinux.org>
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -36,6 +36,25 @@
 /* Unrecognized PAM error timeout. */
 #define	ERROR_TIMEOUT	10
 
+static int
+do_account_password_management (pam_handle_t *pamh)
+{
+	int rc;
+
+	/* Whether the authenticated user is allowed to log in? */
+	rc = pam_acct_mgmt (pamh, 0);
+
+	/* Do we need to prompt the user for a new password? */
+	if (rc == PAM_NEW_AUTHTOK_REQD)
+		rc = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+
+	/* Extend the lifetime of the existing credentials. */
+	if (rc == PAM_SUCCESS)
+		rc = pam_setcred (pamh, PAM_REFRESH_CRED);
+
+	return rc;
+}
+
 int
 get_password (pam_handle_t * pamh, const char *username, const char *tty)
 {
@@ -84,6 +103,23 @@ get_password (pam_handle_t * pamh, const char *username, const char *tty)
 		switch (rc)
 		{
 			case PAM_SUCCESS:
+				rc = do_account_password_management (pamh);
+
+				if (rc != PAM_SUCCESS)
+				{
+					/*
+					 * The user was authenticated but
+					 * either account or password management
+					 * returned an error.
+					 */
+					printf ("%s.\n\n\n",
+						pam_strerror (pamh, rc));
+					fflush (stdout);
+					pam_end (pamh, rc);
+					pamh = 0;
+					break;
+				}
+
 				pam_end (pamh, rc);
 				/* Log the fact of console unlocking. */
 				syslog (LOG_NOTICE,
diff --git a/src/vlock/vlock.pamd b/src/vlock/vlock.pamd
index b9d1c18..2e33786 100644
--- a/src/vlock/vlock.pamd
+++ b/src/vlock/vlock.pamd
@@ -1,2 +1,4 @@
 #%PAM-1.0
 auth     include	system-auth
+account  include	system-auth
+password include	system-auth


-- 
ldv


More information about the kbd mailing list