Bug 137802 - pam_console authentication when invoked under root
pam_console authentication when invoked under root
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
: EasyFix, FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2004-11-01 10:24 EST by Dmitry Butskoy
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-11-25 09:59:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
enhance pam_console authentication when invoked under root (super user) (1.93 KB, patch)
2004-11-01 10:27 EST, Dmitry Butskoy
no flags Details | Diff
accompanied patch for pam_console.8 (1.72 KB, patch)
2004-11-02 12:48 EST, Dmitry Butskoy
no flags Details | Diff

  None (edit)
Description Dmitry Butskoy 2004-11-01 10:24:50 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)

Description of problem:

  My users often work on several virtual consoles (and gdm)
simultaneously. Thus they want to login with password only once.
  At first sight most suitable decision would be to use existing
pam_console module for "auth". However when invoked under root
(because "/bin/login" runs under root), pam_console behaves as
"pam_rootok", and anyone logins even without password prompt.
"Pam_rootok" behaviour is not obligatory, and even there is a comment
on it in the source.

  I have made a patch which cleans "pam_rootok" stuff and allows
pam_console to be useful when invokes under root.

  The idea is if "getuid() == 0" we obtain user name by pam_get_user()
call instead.
  But we must make sure it is local physical console. Otherwise a
remote user can login without the password when already someone sits
at the console. We can check this inspecting whether PAM_RHOST is set
or not.
  Both /bin/login (under telnetd) and /usr/bin/gdm set PAM_RHOST for
remote invokations. (/bin/login -- source check and test by me, gdm --
source check only). But I have not found similar for kdm/xdm .
Therefore the new pam_console cannot be used with kdm/xdm when they
allow remote logins.

 One month patched pam_console works for us without a problem. I hope,
this patch may be applied for mainstream.
 The kdm and xdm case is not an issue, because the patch in any way
does not worsen the current pam_console behaviour. (Currently, if we
use pam_console for login, anyone can login without password :-) ).
 Deleting of "pam_rootok"-like code does nothing for current
applications (i.e. halt, reboot), because there are explicit
pam_rootok.so specifications in the pam configs for all of them.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Our /etc/pam.d/login as an example of new functionality:

auth       required     pam_securetty.so
# this line is added...
auth       sufficient   pam_console.so
auth       required     pam_stack.so service=system-auth
auth       optional     pam_ssh.so try_first_pass
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
session    optional     pam_ssh.so

Actual Results:    Currently, anyone logins even without password prompt

Expected Results:  For the first console login, a password should be
asked. The next additional logins should not ask for the password.

Additional info:
Comment 1 Dmitry Butskoy 2004-11-01 10:27:02 EST
Created attachment 106017 [details]
enhance pam_console authentication when invoked under root (super user)
Comment 2 Tomas Mraz 2004-11-01 11:38:30 EST
I will accept this patch for FC4, it seems to be reasonable, thanks.

Even better if you wrote a few words to pam_console.8 manpage which
would describe the functionality of pam_console for "auth".
Comment 3 Dmitry Butskoy 2004-11-02 12:48:53 EST
Created attachment 106076 [details]
accompanied patch for pam_console.8

It describes "auth" stuff (which was missing), with new enhancements...
Comment 4 Tomas Mraz 2004-11-02 13:01:44 EST
Thank you for your very fine patches.

Note You need to log in before you can comment on or make changes to this bug.