Red Hat Bugzilla – Bug 80874
RFE: [PATCH] pam_console local-once-passwd
Last modified: 2015-01-07 19:02:41 EST
Description of enhancement:
Everything is restricted on local physical access only:
If user 'foo' is already logged on local console it should not be required to
enter the password to login for 'foo' on another local console - the original
console is alrady accessible for any fraud anyway.
Leaving console with any user running "exec top s" will be no longer safe with
this feature in effect - it should NEVER be default!
Steps for The Show:
1. /etc/pam.d/system-auth line before pam_unix.so:
auth sufficient /lib/security/$ISA/pam_console.so johanka
2. Login on local console as user 'foo' - enter password.
3. Login on local console as user 'foo' - no password required.
4. Login on local console as user 'bar' - enter password.
Created attachment 89036 [details]
Implements 'johanka' option for pam_console
Implements option 'johanka' for pam_console.
Modifies 'session' handling to track /var/run/console/$username file even for
the user 'root'.
AFAIK the patch should have no sideeffects as long as 'johanka' option is not