[Pkg-shadow-devel] Bug#187921: marked as done (login: PAM service for login is fixed.)

Debian Bug Tracking System owner at bugs.debian.org
Wed Jan 11 18:20:28 UTC 2006 

Your message dated Wed, 11 Jan 2006 18:24:41 +0100
with message-id <20060111172441.GF25709 at djedefre.onera>
and subject line Closing this bug report
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at maintonly) by bugs.debian.org; 7 Apr 2003 00:04:09 +0000
>From vectro at pipeline.com Sun Apr 06 19:04:08 2003
Return-path: <vectro at pipeline.com>
Received: from cats-mx2.ucsc.edu (ucsc.edu) [128.114.129.35] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 192K7M-0003Xb-00; Sun, 06 Apr 2003 19:04:08 -0500
Received: from chimaera.house (C9-dhcp-21-235.resnet.ucsc.edu [169.233.21.235])
	by ucsc.edu (8.10.1/8.10.1) with ESMTP id h3703Ei13877
	for <maintonly at bugs.debian.org>; Sun, 6 Apr 2003 17:03:14 -0700 (PDT)
Received: from crafter.house ([192.168.1.1])
	by chimaera.house with esmtp (Exim 3.35 #1 (Debian))
	id 192K7E-0005Jo-00
	for <maintonly at bugs.debian.org>; Sun, 06 Apr 2003 17:04:00 -0700
Received: from vectro by crafter.house with local (Exim 3.36 #1 (Debian))
	id 192K7A-0007Z7-00; Sun, 06 Apr 2003 17:03:56 -0700
From: Ian Turner <vectro at pipeline.com>
To: Debian Bug Tracking System <maintonly at bugs.debian.org>
Subject: login: PAM service for login is fixed.
X-Mailer: reportbug 1.50
Date: Sun, 06 Apr 2003 17:03:56 -0700
Message-Id: <E192K7A-0007Z7-00 at crafter.house>
X-UCSC-CATS-MailScanner: Found to be clean
X-UCSC-CATS-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.8,
	required 8, SPAM_PHRASE_00_01)
Delivered-To: maintonly at bugs.debian.org
X-Spam-Status: No, hits=-1.1 required=4.0
	tests=HAS_PACKAGE,PATCH_UNIFIED_DIFF,SPAM_PHRASE_00_01
	version=2.44
X-Spam-Level: 

Package: login
Version: 1:4.0.3-7
Severity: wishlist
Tags: patch security

Hello,

The patch below adds a -s option (for root only) to login (1), when it
is compiled with PAM. This option specifies what PAM service should be 
used.

This is useful, because it allows one to e.g., use different login rules 
for telnet, ssh, and console. In particular, I don't want users to be 
able to log in remotely with anything but S/KEY, but console login with 
a password is OK.

This patch makes things more configurable, without compromising 
security, since only root can use the option.



-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux crafter 2.4.19 #1 Fri Sep 27 18:25:53 PDT 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages login depends on:
ii  libc6                         2.3.1-16   GNU C Library: Shared libraries an
ii  libpam-modules                0.76-9     Pluggable Authentication Modules f
ii  libpam0g                      0.76-9     Pluggable Authentication Modules l

diff -Naur shadow-4.0.3/src/login.c shadow-4.0.3-patch/src/login.c
--- shadow-4.0.3/src/login.c	2003-04-06 15:10:44.000000000 -0700
+++ shadow-4.0.3-patch/src/login.c	2003-04-06 15:29:49.000000000 -0700
@@ -93,6 +93,8 @@
 #define PAM_END { retcode = pam_close_session(pamh,0); \
 		pam_end(pamh,retcode); }
 
+static const char* pam_service = "login";
+
 #endif				/* USE_PAM */
 
 /*
@@ -123,6 +125,12 @@
 #else
 #define rflg 0
 #endif
+#ifdef USE_PAM
+static int sflg = 0;
+#else
+#define sflg 0
+#endif
+
 static int hflg = 0;
 static int preauth_flag = 0;
 
@@ -185,15 +193,34 @@
  * login -f name	(for pre-authenticated login: datakit, xterm, etc.)
  */
 
-static void usage (void)
-{
+#ifdef USE_PAM
+static void usage_nonroot (void) {
+	fprintf (stderr, _("usage: %s [-p] [-s pam_service ] [name]\n"), Prog);
+}
+
+static void usage_root (void) {
+	fprintf (stderr, _("       %s [-p] [-s pam_service ] [-h host] [-f name]\n"), Prog);
+#ifdef RLOGIN
+	fprintf (stderr, _("       %s [-p] [-s pam_service ] -r host\n"), Prog);
+#endif
+}
+#else /* USE_PAM */
+static void usage_nonroot (void) {
 	fprintf (stderr, _("usage: %s [-p] [name]\n"), Prog);
-	if (!amroot)
-		exit (1);
+}
+static void usage_root (void) {
 	fprintf (stderr, _("       %s [-p] [-h host] [-f name]\n"), Prog);
 #ifdef RLOGIN
 	fprintf (stderr, _("       %s [-p] -r host\n"), Prog);
 #endif
+}
+#endif /* USE_PAM */
+
+static void usage (void)
+{
+        usage_nonroot();
+        if (amroot)
+                usage_root();
 	exit (1);
 }
 
@@ -473,7 +500,7 @@
 
 	check_flags (argc, argv);
 
-	while ((flag = getopt (argc, argv, "d:f:h:pr:")) != EOF) {
+	while ((flag = getopt (argc, argv, "d:f:h:pr:s:")) != EOF) {
 		switch (flag) {
 		case 'p':
 			pflg++;
@@ -508,6 +535,12 @@
 		case 'd':
 			/* "-d device" ignored for compatibility */
 			break;
+#ifdef USE_PAM
+                case 's':
+                        pam_service = optarg;
+                        sflg++;
+                        break;
+#endif
 		default:
 			usage ();
 		}
@@ -526,7 +559,7 @@
 	 * Allow authentication bypass only if real UID is zero.
 	 */
 
-	if ((rflg || fflg || hflg) && !amroot) {
+	if ((rflg || fflg || hflg || sflg) && !amroot) {
 		fprintf (stderr, _("%s: permission denied\n"), Prog);
 		exit (1);
 	}
@@ -716,7 +749,7 @@
 		retries = getdef_num ("LOGIN_RETRIES", RETRIES);
 
 #ifdef USE_PAM
-		retcode = pam_start ("login", username, &conv, &pamh);
+		retcode = pam_start (pam_service, username, &conv, &pamh);
 		if (retcode != PAM_SUCCESS) {
 			fprintf (stderr,
 				 "login: PAM Failure, aborting: %s\n",


---------------------------------------
Received: (at 187921-done) by bugs.debian.org; 11 Jan 2006 18:07:50 +0000
>From bubulle at kheops.frmug.org Wed Jan 11 10:07:50 2006
Return-path: <bubulle at kheops.frmug.org>
Received: from lns-bzn-50f-81-56-227-253.adsl.proxad.net ([81.56.227.253] helo=kheops.perrier.eu.org)
	by spohr.debian.org with esmtp (Exim 4.50)
	id 1EwkNy-0005d5-03; Wed, 11 Jan 2006 10:07:50 -0800
Received: from localhost (localhost [127.0.0.1])
	by kheops.perrier.eu.org (Postfix) with ESMTP id 1C7494F977;
	Wed, 11 Jan 2006 19:07:19 +0100 (CET)
Received: from kheops.perrier.eu.org ([127.0.0.1])
	by localhost (kheops [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 11150-07; Wed, 11 Jan 2006 19:07:18 +0100 (CET)
Received: from mykerinos.kheops.frmug.org (mykerinos.kheops.frmug.org [192.168.1.3])
	by kheops.perrier.eu.org (Postfix) with ESMTP id 029944F97C;
	Wed, 11 Jan 2006 19:07:15 +0100 (CET)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 1000)
	id 2DBA340B898; Wed, 11 Jan 2006 18:24:41 +0100 (CET)
Date: Wed, 11 Jan 2006 18:24:41 +0100
From: Christian Perrier <bubulle at debian.org>
To: 187921-done at bugs.debian.org
Subject: Closing this bug report
Message-ID: <20060111172441.GF25709 at djedefre.onera>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.11
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at kheops.frmug.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,VALID_BTS_CONTROL 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

tags 187921 - confirmed
thanks

After some deeper talk with the libpam-modules maintainer (Steve
Langasek), we concluded that adding the complexity of the PAM service
for login being configurable seems overflated.

Steve gave an example method for achieving what is requested by the
bug submitter.

As a consequence, I hereby close this bug report.

More information about the Pkg-shadow-devel mailing list