Tomas Mraz [Mon, 14 Oct 2019 14:52:46 +0000 (16:52 +0200)]
pam_unix: Add logging useful for debugging problems
Two messages added about obtaining the username are guarded
by the debug option as these should not be normally
logged - they can be useful for debugging but they do not
indicate any special condition.
The message about authenticating user with blank password is
still just LOG_DEBUG priority but it is logged unconditionally
because it is somewhat extraordinary condition to have an user
with blank password.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
D() macro calls which are not enabled on production builds with
regular pam_syslog() calls.
Add support for a vendor directory and libeconf (#136)
With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where Linux-PAM should additional look
for pam.d/*, login.defs and securetty if this files are not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.
----- begin /etc/security/limits.d/fsize.conf -----
* soft fsize 1710
* hard fsize 1710
----- end /etc/security/limits.d/fsize.conf -----
# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1)
# su - user1
Last login: Wed Sep 11 01:52:44 UTC 2019 on console
$ exit
# id user2
uid=60000(user2) gid=60000(user2) groups=60000(user2)
# su - user2
File size limit exceeded
This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
In order to fix this, and an 'unlimited' option, which leads to saving
the 'fsize' limit and set it to unlimited before writing lastlog. After
that, restore the saved value. If 'fsize' is already unlimited nothing
is done.
Failing to set the 'fsize' limit is not a fatal error. With luck the
configured limit will suffice, so we try to write lastlog anyway, even
under the risk of dying due to a SIGXFSZ.
Failing to restore the 'fsize' limit is a fatal error, since we don't
want to keep it unlimited.
Signed-off-by: Carlos Santos <casantos@redhat.com>
This man page contained the incorrect statement that setting the
PAM_FAIL_DELAY item to NULL would disable any form of delay on
authentication failure.
I removed the incorrect statement and added a paragraph explaining
how an application should properly avoid delays.
Matt Cowell [Thu, 29 Aug 2019 21:36:35 +0000 (16:36 -0500)]
pwhistory: fix read of uninitialized data and memory leak when modifying opasswd
The glibc implementation of getline/getdelim does not guarantee a NUL
terminator in lineptr if getline returns failure (-1). This occurs when
the opasswd file exists but is empty. Since strdup is called
immediately afterwards, this causes strdup to read uninitialized memory
and possibly buffer overrun / crash.
This also fixes a memory leak which always occurs when reading the last
line of the opasswd file. Since the strdup is called before checking
the return code from getline, getdelim, or fgets+strlen, it will
duplicate and never free either:
- The last successfully read line (for getline or getdelim)
- Uninitialized data (if the file is empty)
- A 0 byte string (for fgets+strlen)
Fix by always checking the return code of getline, getdelim, or
fgets+strlen before calling strdup.
If password was already verified by previous modules in the stack
it does not need to be verified by pam_get_authtok_verify either.
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
appropriately.
(pam_get_authtok_verify): Do not prompt if authtok_verified is set and
set it when the password is verified.
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
Florian Best [Wed, 26 Jun 2019 11:49:23 +0000 (13:49 +0200)]
Trim password at PAM_MAX_RESP_SIZE chars
Issue #118: Protect against Denial of Service attacks.
To prevent hashsum generation via crypt of very long passwords the
password is now stripped to 512 characters. This is equivalent behavior
to unix_chkpwd.
Olaf Mandel [Thu, 23 May 2019 16:09:44 +0000 (16:09 +0000)]
pam_succeed_if: Request user data only when needed
Allow for conditions that just check the user field to also work for
users not known to the system. Before this caused a PAM_USER_UNKNOWN
even if no extra data for an existing user was needed. E.g.
auth sufficient pam_succeed_if.so user = NotKnownToSystem
modules/pam_succeed_if/pam_succeed_if.c (evaluate): Change the pwd
parameter to an input/output parameter. Lazily request pwd with
pam_modutil_getpwnam() if needed and return PAM_USER_UNKNOWN on failure.
modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Don't
request the pwd if !use_uid anymore and shift the output from audit to
after the evaluate() call. Also make sure not to give the normal failure
message if the lazy pwd loading failed.
pam_tally2 does fsync() after writing to a tally file.
This causes hard drive cache flushes on every failed SSH login on many
(if not most) filesystems.
And an internet-exposed machine can have a lot of these failed logins.
This operation however doesn't seem to be necessary - the pam_tally2
module does not do any operation which would need explicit post-crash
ordering, it just does simple file reads and writes.
And doing a fsync() after them doesn't close any race if the system happens
to crash between a write being posted and its fsync() completion.
Let's remove this operation to get rid of all these extra cache flushes.
Christopher Head [Wed, 26 Sep 2018 04:52:04 +0000 (21:52 -0700)]
Fix documentation for pam_wheel
By default, pam_wheel checks for applicant membership in the wheel group
for *all* access requests, regardless of whether the target user is root
or non-root. Only if root_only is provided does it limit the membership
check to cases when the target user is root. Update the documentation to
reflect this.
Nir Soffer [Sat, 5 Jan 2019 22:36:27 +0000 (00:36 +0200)]
pam_lastlog: Respect PAM_SILENT flag
pam_lastlog module will not log info about failed login if the session
was opened with PAM_SILENT flag.
Example use case enabled by this change:
sudo --non-interactive program
If this command is run by another program expecting specific output from
the command run by sudo, the unexpected info about failed logins will
break this program.
* modules/pam_lastlog/pam_lastlog.c: Respect silent option.
(_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
Tomas Mraz [Fri, 4 Jan 2019 11:36:13 +0000 (12:36 +0100)]
Fix regressions from the last commits.
* configure.ac: Test for logwtmp needs -lutil in LIBS.
* modules/Makefile.am: Fix indentation of variable assignments causing
creation of incorrect Makefile.
Yousong Zhou [Wed, 17 Jun 2015 10:19:23 +0000 (18:19 +0800)]
build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
* configure.ac: check for ruserok and ruserok_af
* modules/Makefile.am: ignore pam_rhosts/ if it's disabled
* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
Tomas Mraz [Thu, 20 Dec 2018 12:59:25 +0000 (13:59 +0100)]
pam_motd: Cleanup the code and avoid unnecessary logging
The pam_motd module will not log if the default motd.d directories
are missing.
Also cleanup some code cleanliness issues and fix compilation
warnings.
* modules/pam_motd/pam_motd.c: Constification of constant strings.
(try_to_display_directory): Removed unused function.
(pam_split_string): Replace uint with unsigned int. Fix warnings.
(compare_strings): Fix warnings by proper constification.
(try_to_display_directories_with_overrides): Cleanups. Switch
off the logging if the motd.d directories are missing and they
are default ones.
(pam_sm_open_session): Cleanup warnings. Pass the information
to try_to_display_directories_with_overrides() that non-default
motd options are used.
Tomas Mraz [Tue, 11 Dec 2018 08:08:20 +0000 (09:08 +0100)]
pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
* modules/pam_lastlog/pam_lastlog.8.xml: Add the documentation of the
LASTLOG_UID_MAX option.
* modules/pam_lastlog/pam_lastlog.c: New function get_lastlog_uid_max().
(last_login_date): Check the uid against the get_lastlog_uid_max().
(pam_authenticate): Likewise.
Tomas Mraz [Mon, 10 Dec 2018 15:41:47 +0000 (16:41 +0100)]
Move the duplicated search_key function to pam_modutil.
* libpam/pam_modutil_searchkey.c: New source file with pam_modutil_search_key().
* libpam/Makefile.am: Add the pam_modutil_searchkey.c.
* libpam/include/security/pam_modutil.h: Add the pam_modutil_search_key() prototype.
* libpam/libpam.map: Add the pam_modutil_search_key() into a new version.
* modules/pam_faildelay/pam_faildelay.c: Drop search_key() and use
pam_modutil_search_key().
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_unix/support.c: Likewise.
Tomas Mraz [Tue, 27 Nov 2018 15:11:03 +0000 (16:11 +0100)]
pam_unix: Use pam_syslog instead of helper_log_err.
* modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
* modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
* modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
to verify_pwd_hash() call.
Björn Esser [Mon, 26 Nov 2018 21:33:17 +0000 (22:33 +0100)]
pam_unix: Report unusable hashes found by checksalt to syslog.
libxcrypt can be build-time configured to support (or not support)
various hashing methods. Future versions will also have support for
runtime configuration by the system's vendor and/or administrator.
For that reason adminstrator should be notified by pam if users cannot
log into their account anymore because of such a change in the system's
configuration of libxcrypt.
Also check for malformed hashes, like descrypt hashes starting with
"$2...", which might have been generated by unsafe base64 encoding
functions as used in glibc <= 2.16.
Such hashes are likely to be rejected by many recent implementations
of libcrypt.
* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
hashes found by checksalt to syslog.
Björn Esser [Thu, 15 Nov 2018 15:57:35 +0000 (16:57 +0100)]
pam_unix: Add crypt_default method, if supported.
libxcrypt since v4.4.0 supports a default method for its
gensalt function on most system configurations. As the
default method is to be considered the strongest available
hash method, it should be preferred over all other hash
methods supported by pam.
pam_unix: Do not return a hard failure on invalid or disabled salt
as in some cases the failure actually is not interesting and can
broke things such as password-less sudo.
* modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
of disabled or invalid salt.
Björn Esser [Thu, 15 Nov 2018 15:38:05 +0000 (16:38 +0100)]
pam_unix: Add support for (gost-)yescrypt hashing methods.
libxcrypt (v4.2 and later) has added support for the yescrypt
hashing method; gost-yescrypt has been added in v4.3.
* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
* modules/pam_unix/support.h: Add support for (gost-)yescrypt.
Björn Esser [Thu, 15 Nov 2018 18:49:44 +0000 (19:49 +0100)]
pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
libxcrypt v4.3 has added the crypt_checksalt function to whether
the prefix at the begining of a given hash string refers to a
supported hashing method.
Future revisions of this function will add support to check whether
the hashing method, the prefix refers to, was disabled or considered
deprecated by the system's factory presets or system administrator.
Furthermore it will be able to detect whether the parameters, which
are used by the corresponding hashing method, being encoded in the
hash string are not considered to be strong enough anymore.
*modules/pam_unix/passverify.c: Add support for crypt_checksalt.
Robert Fairley [Wed, 21 Nov 2018 07:46:02 +0000 (02:46 -0500)]
pam_motd: Fix segmentation fault when no motd_dir specified (#76)
This fixes a regression introduced by #69, where motd_path was set
to NULL and passed into strdup() if the motd_dir argument was
not specified in the configuration file. This caused a segmentation
fault.
* modules/pam_motd/pam_motd.c: fix checks for NULL in arguments
* xtests/Makefile.am: add test scripts and config file
* xtests/tst-pam_motd.sh: add running tst-pam_motd4.sh
* xtests/tst-pam_motd4.pamd: create
* xtests/tst-pam_motd4.sh: create
Robert Fairley [Mon, 19 Nov 2018 08:00:16 +0000 (03:00 -0500)]
pam_motd: Support multiple motd paths specified, with filename overrides (#69)
Adds specifying multiple paths to motd files and motd.d
directories to be displayed. A colon-separated list of
paths is specified as arguments motd and motd_dir to the
pam_motd module.
This gives packages several options to install motd files to.
By default, the paths are, with highest priority first:
/etc/motd
/run/motd
/usr/lib/motd
/etc/motd.d/
/run/motd.d/
/usr/lib/motd.d/
Which is equivalent to the following arguments:
motd=/etc/motd:/run/motd:/usr/lib/motd
motd_dir=/etc/motd.d:/run/motd.d:/usr/lib/motd.d
Files with the same filename in a lower-priority directory,
as specified by the order in the colon-separated list, are
overridden, meaning PAM will not display them.
This allows a package to contain motd files under
/usr/lib instead of the host configuration in /etc.
A service may also write a dynamically generated motd in
/run/motd.d/ and have PAM display it without needing a
symlink from /etc/motd.d/ installed.
Björn Esser [Thu, 15 Nov 2018 14:01:57 +0000 (15:01 +0100)]
pam_unix: Use bcrypt b-variant for computing new hashes.
Bcrypt hashes used the "$2a$" prefix since 1997.
However, in 2011 an implementation bug was discovered in bcrypt
affecting the handling of characters in passphrases with the 8th
bit set.
Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
for a behavior that exactly matches crypt_blowfish's "$2y$", and
the crypt_blowfish implementation supports it as well since v1.1.
That said new computed bcrypt hashes should use the "$2b$" prefix.
* modules/pam_unix/passverify.c: Use bcrypt b-variant.
Dmitry V. Levin [Fri, 22 Jun 2018 10:21:22 +0000 (10:21 +0000)]
pam_tally, pam_tally2: fix grammar and spelling (#54)
* modules/pam_tally/pam_tally.c (tally_check): Replace
"Account is temporary locked" with "The account is temporarily locked"
in translated messages.
* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
* po/Linux-PAM.pot: Update pam_tally and pam_tally2 messages.
Dmitry V. Levin [Tue, 19 Jun 2018 00:00:00 +0000 (00:00 +0000)]
Fix grammar of messages printed via pam_prompt
Turn into proper sentences those messages that are printed without
further modifications using pam_prompt in contexts where proper
sentences are expected.
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix grammar
of the message passed to pam_error.
* modules/pam_limits/pam_limits.c (pam_sm_open_session): Likewise.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix
grammar of error messages passed to pam_error.
* modules/pam_mail/pam_mail.c (report_mail): Fix grammar of a message
passed to pam_info.
* modules/pam_timestamp/pam_timestamp.c (verbose_success): Likewise.
* modules/pam_selinux/pam_selinux.c (config_context, send_text): Fix
grammar of messages passed to pam_prompt.
* modules/pam_tally/pam_tally.c (tally_check): Fix grammar of messages
passed to pam_info.
* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Fix grammar
of messages passed to _make_remark.
* modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass,
pam_sm_chauthtok): Likewise.
* po/Linux-PAM.pot: Regenerate.
Dmitry V. Levin [Tue, 19 Jun 2018 00:00:00 +0000 (00:00 +0000)]
pam_stress: do not mark messages for translation
pam_stress is not a regular module that needs to be translated.
Besides that, its messages are not easy to understand
and even harder to translate properly.
* modules/pam_stress/pam_stress.c (pam_sm_chauthtok): Do not mark
messages for translation.
* po/Linux-PAM.pot: Remove pam_stress messages.
Dmitry V. Levin [Wed, 8 Nov 2017 23:58:58 +0000 (23:58 +0000)]
pam_tally2 --reset: avoid creating a missing tallylog file
There is no need for pam_tally2 in --reset=0 mode to create a missing
tallylog file because its absence has the same meaning as its existence
with the appropriate entry reset.
This was not a big deal until useradd(8) from shadow suite release 4.5
started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM
configuration.
The positive effect of this change is noticeable when using tools like
cpio(1) that cannot archive huge sparse files efficiently.
* modules/pam_tally2/pam_tally2.c [MAIN] (main) <cline_user>: Stat
cline_filename when cline_reset == 0, exit early if the file is missing.
Tomas Mraz [Mon, 9 Oct 2017 15:37:56 +0000 (17:37 +0200)]
pam_tty_audit: Fix regression introduced by adding the uid range support.
* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and
remove unneeded code carried from pam_limits.
(pam_sm_open_session): When multiple enable/disable options are present do not
stop after first match.
Tomas Mraz [Wed, 28 Jun 2017 13:52:16 +0000 (15:52 +0200)]
pam_tty_audit: Support matching users by uid range.
* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to
parse the uid range.
(pam_sm_open_session): Call parse_uid_range() and behave according to its result.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching.
Tomas Mraz [Wed, 31 May 2017 08:27:28 +0000 (10:27 +0200)]
pam_access: support parsing files in /etc/security/access.d/*.conf
* modules/pam_access/pam_access.c (login_access): Return NOMATCH if
there was no match in the parsed file.
(pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB
subdirectory and call login_access() on the individual files matched.
* modules/pam_access/pam_access.8.xml: Document the addition.
* modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition.
Tomas Mraz [Mon, 17 Oct 2016 12:18:24 +0000 (14:18 +0200)]
pam_ftp: Properly use the first name from the supplied list
* modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list
of anonymous users if user name matches.
(pam_sm_authenticate): Free the returned value allocated in lookup().
Tomas Mraz [Thu, 30 Jun 2016 12:29:40 +0000 (14:29 +0200)]
Unification and cleanup of syslog log levels.
* libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
* libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
* modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
* modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
* modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
* modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
* modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
* modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
* modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
with LOG_ERR.
* modules/pam_limits/pam_limits.c: User login limit messages are syslogged
with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
LOG_ERR.
* modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
with LOG_NOTICE.
* modules/pam_namespace/pam_namespace.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_nologin/pam_nologin.c: Make memory allocation failures
LOG_CRIT, other errors LOG_ERR.
* modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
with LOG_NOTICE, non-memory errors with LOG_ERR.
* modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
* modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
LOG_ERR.
* modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
* modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
LOG_CRIT.
* modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
other errors LOG_ERR.
* modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
* modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
max retries ignorance by application likewise.
* modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
* modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
with LOG_NOTICE.
* modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.
Dmitry V. Levin [Tue, 14 Jun 2016 23:03:13 +0000 (23:03 +0000)]
pam_timestamp: fix typo in strncmp usage
Before this fix, a typo in check_login_time resulted to ruser and
struct utmp.ut_user being compared by the first character only,
which in turn could lead to a too low timestamp value being assigned
to oldest_login, effectively causing bypass of check_login_time.
* modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo
in strncmp usage.
Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
Tomas Mraz [Thu, 14 Apr 2016 15:48:03 +0000 (17:48 +0200)]
Project registered at Zanata (fedora.zanata.org) for translations.
* zanata.xml: Configuration file for zanata client.
* po/LINGUAS: Update languages as supported by Zanata.
* po/Linux-PAM.pot: Updated from sources.
* po/*.po: Updated from sources.
Tomas Mraz [Wed, 6 Apr 2016 11:52:21 +0000 (13:52 +0200)]
pam_get_authtok(): Add authtok_type support to current password prompt.
* libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password,
use different prompt for current password allowing for authtok_type to be
displayed to the user.
Thorsten Kukuk [Wed, 23 Mar 2016 10:16:55 +0000 (11:16 +0100)]
Remove YP dependencies from pam_access, they were never used
and such not needed.
* modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS
* modules/pam_access/pam_access.c: Remove yp_get_default_domain case,
it will never be used.