Red Hat Bugzilla – Bug 80874
RFE: [PATCH] pam_console local-once-passwd
Last modified: 2015-01-07 19:02:41 EST
Description of enhancement: Everything is restricted on local physical access only: If user 'foo' is already logged on local console it should not be required to enter the password to login for 'foo' on another local console - the original console is alrady accessible for any fraud anyway. Leaving console with any user running "exec top s" will be no longer safe with this feature in effect - it should NEVER be default! Steps for The Show: 1. /etc/pam.d/system-auth line before pam_unix.so: auth sufficient /lib/security/$ISA/pam_console.so johanka 2. Login on local console as user 'foo' - enter password. 3. Login on local console as user 'foo' - no password required. 4. Login on local console as user 'bar' - enter password.
Created attachment 89036 [details] Implements 'johanka' option for pam_console Implements option 'johanka' for pam_console. Modifies 'session' handling to track /var/run/console/$username file even for the user 'root'. AFAIK the patch should have no sideeffects as long as 'johanka' option is not used.