Red Hat Bugzilla – Bug 63806
rlogind ignores pam access denials
Last modified: 2015-03-04 20:10:36 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020326
Description of problem:
PAM provides a way for a pam module to specify that this user doesn't currently
have access to the machine. However, it still allows the user to authenticate
with the login program. I know that it is in some ways debatable but giving
users this second chance to identify and authenticate themselves flys in the
face of the intention of pam authentication.
The included patch fixes this problem. What it does is makes it so that if PAM
responds saying that the user is not allowed to login it will exit the rlogind
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. create a module which returns PAM_SUCCESS to pam_sm_authenticate and
PAM_PERM_DENIED to pam_sm_acct_mgmt
2. setup pam to use the module
3. make sure that the rsh is available.
4. try to login using rsh
Actual Results: it prompts you for a login
Expected Results: It should tell you that the access is denied.
Created attachment 54445 [details]
patch to fix rsh so that it listens to pam's responses
Sounds like a good idea, patch looks sane, will most likely include it in the
next version of rsh.
Read ya, Phil
Included in rsh-0.17-17 and later.
Read ya, Phil