rpms / pam

Clone
Source Code
GIT

Blame SOURCES/pam-1.3.1-authtok-verify-fix.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   387ec09dd1ac93368355c06315bcdf9c701e677d
  2.   SOURCES
  3.   pam-1.3.1-authtok-verify-fix.patch
Blob History Raw
43d219 
From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
43d219 
From: Tomas Mraz <tmraz@fedoraproject.org>
43d219 
Date: Wed, 7 Aug 2019 12:22:55 +0200
43d219 
Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification
43d219
43d219 
If password was already verified by previous modules in the stack
43d219 
it does not need to be verified by pam_get_authtok_verify either.
43d219
43d219 
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
43d219 
  appropriately.
43d219 
  (pam_get_authtok_verify): Do not prompt if authtok_verified is set and
43d219 
  set it when the password is verified.
43d219 
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
43d219 
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
43d219 
---
43d219 
 libpam/pam_get_authtok.c | 10 ++++++++++
43d219 
 libpam/pam_private.h     |  1 +
43d219 
 libpam/pam_start.c       |  1 +
43d219 
 3 files changed, 12 insertions(+)
43d219
43d219 
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
43d219 
index 800c6e5..99eb25f 100644
43d219 
--- a/libpam/pam_get_authtok.c
43d219 
+++ b/libpam/pam_get_authtok.c
43d219 
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
43d219 
     }
43d219 
   else if (chpass)
43d219 
     {
43d219 
+      pamh->authtok_verified = 0;
43d219 
+
43d219 
       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
43d219 
 			   PROMPT1, authtok_type,
43d219 
 			   strlen (authtok_type) > 0?" ":"");
43d219 
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
43d219 
   if (retval != PAM_SUCCESS)
43d219 
     return retval;
43d219
43d219 
+  if (chpass > 1)
43d219 
+    pamh->authtok_verified = 1;
43d219 
+
43d219 
   return pam_get_item(pamh, item, (const void **)authtok);
43d219 
 }
43d219
43d219 
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
43d219 
   if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
43d219 
     return PAM_SYSTEM_ERR;
43d219
43d219 
+  if (pamh->authtok_verified)
43d219 
+    return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
43d219 
+
43d219 
   if (prompt != NULL)
43d219 
     {
43d219 
       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
43d219 
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
43d219 
   if (retval != PAM_SUCCESS)
43d219 
     return retval;
43d219
43d219 
+  pamh->authtok_verified = 1;
43d219 
+
43d219 
   return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
43d219 
 }
43d219 
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
43d219 
index 7ff9f75..58a26f5 100644
43d219 
--- a/libpam/pam_private.h
43d219 
+++ b/libpam/pam_private.h
43d219 
@@ -172,6 +172,7 @@ struct pam_handle {
43d219 
 #ifdef HAVE_LIBAUDIT
43d219 
     int audit_state;             /* keep track of reported audit messages */
43d219 
 #endif
43d219 
+    int authtok_verified;
43d219 
 };
43d219
43d219 
 /* Values for select arg to _pam_dispatch() */
43d219 
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
43d219 
index 328416d..e27c64b 100644
43d219 
--- a/libpam/pam_start.c
43d219 
+++ b/libpam/pam_start.c
43d219 
@@ -94,6 +94,7 @@ int pam_start (
43d219 
 #endif
43d219 
     (*pamh)->xdisplay = NULL;
43d219 
     (*pamh)->authtok_type = NULL;
43d219 
+    (*pamh)->authtok_verified = 0;
43d219 
     memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
43d219
43d219 
     if (((*pamh)->pam_conversation = (struct pam_conv *)
43d219 
--
43d219 
2.20.1
43d219

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation