|
 |
db5216 |
diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c
|
|
|
db5216 |
--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry 2016-03-03 09:58:52.677684261 +0100
|
|
|
db5216 |
+++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c 2016-03-03 09:58:52.712685101 +0100
|
|
|
db5216 |
@@ -244,6 +244,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
|
|
|
db5216 |
} else
|
|
|
db5216 |
retval = check_shadow_expiry(pamh, spent, &daysleft);
|
|
|
db5216 |
|
|
|
db5216 |
+ if (on(UNIX_NO_PASS_EXPIRY, ctrl)) {
|
|
|
db5216 |
+ const void *pretval = NULL;
|
|
|
db5216 |
+ int authrv = PAM_AUTHINFO_UNAVAIL; /* authentication not called */
|
|
|
db5216 |
+
|
|
|
db5216 |
+ if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
|
|
|
db5216 |
+ && pretval)
|
|
|
db5216 |
+ authrv = *(const int *)pretval;
|
|
|
db5216 |
+
|
|
|
db5216 |
+ if (authrv != PAM_SUCCESS
|
|
|
db5216 |
+ && (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED))
|
|
|
db5216 |
+ retval = PAM_SUCCESS;
|
|
|
db5216 |
+ }
|
|
|
db5216 |
+
|
|
|
db5216 |
switch (retval) {
|
|
|
db5216 |
case PAM_ACCT_EXPIRED:
|
|
|
db5216 |
pam_syslog(pamh, LOG_NOTICE,
|
|
|
db5216 |
diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c
|
|
|
db5216 |
--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry 2013-06-18 16:11:21.000000000 +0200
|
|
|
db5216 |
+++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c 2016-03-03 09:58:52.712685101 +0100
|
|
|
db5216 |
@@ -82,14 +82,13 @@
|
|
|
db5216 |
|
|
|
db5216 |
#define AUTH_RETURN \
|
|
|
db5216 |
do { \
|
|
|
db5216 |
- if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \
|
|
|
db5216 |
+ if (ret_data) { \
|
|
|
db5216 |
D(("recording return code for next time [%d]", \
|
|
|
db5216 |
retval)); \
|
|
|
db5216 |
*ret_data = retval; \
|
|
|
db5216 |
pam_set_data(pamh, "unix_setcred_return", \
|
|
|
db5216 |
(void *) ret_data, setcred_free); \
|
|
|
db5216 |
- } else if (ret_data) \
|
|
|
db5216 |
- free (ret_data); \
|
|
|
db5216 |
+ } \
|
|
|
db5216 |
D(("done. [%s]", pam_strerror(pamh, retval))); \
|
|
|
db5216 |
return retval; \
|
|
|
db5216 |
} while (0)
|
|
|
db5216 |
@@ -115,9 +114,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
|
|
db5216 |
ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
|
|
|
db5216 |
|
|
|
db5216 |
/* Get a few bytes so we can pass our return value to
|
|
|
db5216 |
- pam_sm_setcred(). */
|
|
|
db5216 |
- if (on(UNIX_LIKE_AUTH, ctrl))
|
|
|
db5216 |
- ret_data = malloc(sizeof(int));
|
|
|
db5216 |
+ pam_sm_setcred() and pam_sm_acct_mgmt(). */
|
|
|
db5216 |
+ ret_data = malloc(sizeof(int));
|
|
|
db5216 |
|
|
|
db5216 |
/* get the user'name' */
|
|
|
db5216 |
|
|
|
db5216 |
@@ -194,20 +192,24 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
|
|
db5216 |
*/
|
|
|
db5216 |
|
|
|
db5216 |
int
|
|
|
db5216 |
-pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED,
|
|
|
db5216 |
- int argc UNUSED, const char **argv UNUSED)
|
|
|
db5216 |
+pam_sm_setcred (pam_handle_t *pamh, int flags,
|
|
|
db5216 |
+ int argc, const char **argv)
|
|
|
db5216 |
{
|
|
|
db5216 |
int retval;
|
|
|
db5216 |
const void *pretval = NULL;
|
|
|
db5216 |
+ unsigned int ctrl;
|
|
|
db5216 |
|
|
|
db5216 |
D(("called."));
|
|
|
db5216 |
|
|
|
db5216 |
+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
|
|
|
db5216 |
+
|
|
|
db5216 |
retval = PAM_SUCCESS;
|
|
|
db5216 |
|
|
|
db5216 |
D(("recovering return code from auth call"));
|
|
|
db5216 |
/* We will only find something here if UNIX_LIKE_AUTH is set --
|
|
|
db5216 |
don't worry about an explicit check of argv. */
|
|
|
db5216 |
- if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
|
|
|
db5216 |
+ if (on(UNIX_LIKE_AUTH, ctrl)
|
|
|
db5216 |
+ && pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
|
|
|
db5216 |
&& pretval) {
|
|
|
db5216 |
retval = *(const int *)pretval;
|
|
|
db5216 |
pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
|
|
|
db5216 |
diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml
|
|
|
db5216 |
--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry 2016-03-03 09:58:52.710685053 +0100
|
|
|
db5216 |
+++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml 2016-03-03 09:58:52.712685101 +0100
|
|
|
db5216 |
@@ -346,6 +346,25 @@
|
|
|
db5216 |
</para>
|
|
|
db5216 |
</listitem>
|
|
|
db5216 |
</varlistentry>
|
|
|
db5216 |
+ <varlistentry>
|
|
|
db5216 |
+ <term>
|
|
|
db5216 |
+ <option>no_pass_expiry</option>
|
|
|
db5216 |
+ </term>
|
|
|
db5216 |
+ <listitem>
|
|
|
db5216 |
+ <para>
|
|
|
db5216 |
+ When set ignore password expiration as defined by the
|
|
|
db5216 |
+ <emphasis>shadow</emphasis> entry of the user. The option has an
|
|
|
db5216 |
+ effect only in case <emphasis>pam_unix</emphasis> was not used
|
|
|
db5216 |
+ for the authentication or it returned authentication failure
|
|
|
db5216 |
+ meaning that other authentication source or method succeeded.
|
|
|
db5216 |
+ The example can be public key authentication in
|
|
|
db5216 |
+ <emphasis>sshd</emphasis>. The module will return
|
|
|
db5216 |
+ <emphasis remap='B'>PAM_SUCCESS</emphasis> instead of eventual
|
|
|
db5216 |
+ <emphasis remap='B'>PAM_NEW_AUTHTOK_REQD</emphasis> or
|
|
|
db5216 |
+ <emphasis remap='B'>PAM_AUTHTOK_EXPIRED</emphasis>.
|
|
|
db5216 |
+ </para>
|
|
|
db5216 |
+ </listitem>
|
|
|
db5216 |
+ </varlistentry>
|
|
|
db5216 |
</variablelist>
|
|
|
db5216 |
<para>
|
|
|
db5216 |
Invalid arguments are logged with <citerefentry>
|
|
|
db5216 |
diff -up Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry Linux-PAM-1.1.8/modules/pam_unix/support.h
|
|
|
db5216 |
--- Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry 2016-03-03 09:58:52.712685101 +0100
|
|
|
db5216 |
+++ Linux-PAM-1.1.8/modules/pam_unix/support.h 2016-03-03 10:00:31.642061166 +0100
|
|
|
db5216 |
@@ -97,8 +97,9 @@ typedef struct {
|
|
|
db5216 |
password hash algorithms */
|
|
|
db5216 |
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
|
|
|
db5216 |
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
|
|
|
db5216 |
+#define UNIX_NO_PASS_EXPIRY 28 /* Don't check for password expiration if not used for authentication */
|
|
|
db5216 |
/* -------------- */
|
|
|
db5216 |
-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
|
|
|
db5216 |
+#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
|
|
|
db5216 |
|
|
|
db5216 |
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
|
|
|
db5216 |
|
|
|
db5216 |
@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_C
|
|
|
db5216 |
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
|
|
|
db5216 |
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
|
|
|
db5216 |
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
|
|
|
db5216 |
+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
|
|
|
db5216 |
};
|
|
|
db5216 |
|
|
|
db5216 |
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
|