Bug 80874

Summary: RFE: [PATCH] pam_console local-once-passwd
Product: [Retired] Red Hat Linux Reporter: Jan Kratochvil <jan>
Component: pamAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: mitr, srevivo
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-07-20 06:33:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Implements 'johanka' option for pam_console none

Description Jan Kratochvil 2003-01-01 16:48:13 UTC 
Description of enhancement:
Everything is restricted on local physical access only:

If user 'foo' is already logged on local console it should not be required to
enter the password to login for 'foo' on another local console - the original
console is alrady accessible for any fraud anyway.

Leaving console with any user running "exec top s" will be no longer safe with
this feature in effect - it should NEVER be default!


Steps for The Show:
1. /etc/pam.d/system-auth line before pam_unix.so:
    auth sufficient /lib/security/$ISA/pam_console.so johanka
2. Login on local console as user 'foo' - enter password.
3. Login on local console as user 'foo' - no password required.
4. Login on local console as user 'bar' - enter password.
Comment 1 Jan Kratochvil 2003-01-01 16:52:30 UTC 
Created attachment 89036 [details]
Implements 'johanka' option for pam_console

Implements option 'johanka' for pam_console.

Modifies 'session' handling to track /var/run/console/$username file even for
the user 'root'.

AFAIK the patch should have no sideeffects as long as 'johanka' option is not
used.