From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040923 Description of problem: My users often work on several virtual consoles (and gdm) simultaneously. Thus they want to login with password only once. At first sight most suitable decision would be to use existing pam_console module for "auth". However when invoked under root (because "/bin/login" runs under root), pam_console behaves as "pam_rootok", and anyone logins even without password prompt. "Pam_rootok" behaviour is not obligatory, and even there is a comment on it in the source. I have made a patch which cleans "pam_rootok" stuff and allows pam_console to be useful when invokes under root. The idea is if "getuid() == 0" we obtain user name by pam_get_user() call instead. But we must make sure it is local physical console. Otherwise a remote user can login without the password when already someone sits at the console. We can check this inspecting whether PAM_RHOST is set or not. Both /bin/login (under telnetd) and /usr/bin/gdm set PAM_RHOST for remote invokations. (/bin/login -- source check and test by me, gdm -- source check only). But I have not found similar for kdm/xdm . Therefore the new pam_console cannot be used with kdm/xdm when they allow remote logins. One month patched pam_console works for us without a problem. I hope, this patch may be applied for mainstream. The kdm and xdm case is not an issue, because the patch in any way does not worsen the current pam_console behaviour. (Currently, if we use pam_console for login, anyone can login without password :-) ). Deleting of "pam_rootok"-like code does nothing for current applications (i.e. halt, reboot), because there are explicit pam_rootok.so specifications in the pam configs for all of them. Version-Release number of selected component (if applicable): pam-0.77-65 How reproducible: Always Steps to Reproduce: Our /etc/pam.d/login as an example of new functionality: #%PAM-1.0 auth required pam_securetty.so # this line is added... auth sufficient pam_console.so auth required pam_stack.so service=system-auth auth optional pam_ssh.so try_first_pass auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so session optional pam_ssh.so Actual Results: Currently, anyone logins even without password prompt Expected Results: For the first console login, a password should be asked. The next additional logins should not ask for the password. Additional info:
Created attachment 106017 [details] enhance pam_console authentication when invoked under root (super user)
I will accept this patch for FC4, it seems to be reasonable, thanks. Even better if you wrote a few words to pam_console.8 manpage which would describe the functionality of pam_console for "auth".
Created attachment 106076 [details] accompanied patch for pam_console.8 It describes "auth" stuff (which was missing), with new enhancements...
Thank you for your very fine patches.