Red Hat Bugzilla – Bug 137802
pam_console authentication when invoked under root
Last modified: 2007-11-30 17:10:53 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Description of problem:
My users often work on several virtual consoles (and gdm)
simultaneously. Thus they want to login with password only once.
At first sight most suitable decision would be to use existing
pam_console module for "auth". However when invoked under root
(because "/bin/login" runs under root), pam_console behaves as
"pam_rootok", and anyone logins even without password prompt.
"Pam_rootok" behaviour is not obligatory, and even there is a comment
on it in the source.
I have made a patch which cleans "pam_rootok" stuff and allows
pam_console to be useful when invokes under root.
The idea is if "getuid() == 0" we obtain user name by pam_get_user()
But we must make sure it is local physical console. Otherwise a
remote user can login without the password when already someone sits
at the console. We can check this inspecting whether PAM_RHOST is set
Both /bin/login (under telnetd) and /usr/bin/gdm set PAM_RHOST for
remote invokations. (/bin/login -- source check and test by me, gdm --
source check only). But I have not found similar for kdm/xdm .
Therefore the new pam_console cannot be used with kdm/xdm when they
allow remote logins.
One month patched pam_console works for us without a problem. I hope,
this patch may be applied for mainstream.
The kdm and xdm case is not an issue, because the patch in any way
does not worsen the current pam_console behaviour. (Currently, if we
use pam_console for login, anyone can login without password :-) ).
Deleting of "pam_rootok"-like code does nothing for current
applications (i.e. halt, reboot), because there are explicit
pam_rootok.so specifications in the pam configs for all of them.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Our /etc/pam.d/login as an example of new functionality:
auth required pam_securetty.so
# this line is added...
auth sufficient pam_console.so
auth required pam_stack.so service=system-auth
auth optional pam_ssh.so try_first_pass
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session optional pam_ssh.so
Actual Results: Currently, anyone logins even without password prompt
Expected Results: For the first console login, a password should be
asked. The next additional logins should not ask for the password.
Created attachment 106017 [details]
enhance pam_console authentication when invoked under root (super user)
I will accept this patch for FC4, it seems to be reasonable, thanks.
Even better if you wrote a few words to pam_console.8 manpage which
would describe the functionality of pam_console for "auth".
Created attachment 106076 [details]
accompanied patch for pam_console.8
It describes "auth" stuff (which was missing), with new enhancements...
Thank you for your very fine patches.