Instead of failing when neither PAM_TTY nor PAM_RHOST are available, call

login_access() with "**unknown**" as the second argument. This will allow "ALL" rules to match. Reported by: Tim Daneliuk <tundra@tundraware.com> Tested by: dim@ PR: 83099 193927 MFC after: 3 days
svn path=/head/; revision=272280
2014-09-29 08:57:36 +00:00 · 2014-09-29 08:57:36 +00:00 · 4c37ae3065 · 2020-12-20 02:59:44 +00:00
commit 4c37ae3065
parent 82ac9f2bf7
1 changed files with 4 additions and 2 deletions
--- a/lib/libpam/modules/pam_login_access/pam_login_access.c
+++ b/lib/libpam/modules/pam_login_access/pam_login_access.c
@ -94,8 +94,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
 		PAM_VERBOSE_ERROR("%s is not allowed to log in on %s",
 		    user, tty);
 	} else {
-		PAM_VERBOSE_ERROR("PAM_RHOST or PAM_TTY required");
-		return (PAM_AUTHINFO_UNAVAIL);
+		PAM_LOG("Checking login.access for user %s", user);
+		if (login_access(user, "***unknown***") != 0)
+			return (PAM_SUCCESS);
+		PAM_VERBOSE_ERROR("%s is not allowed to log in", user);
 	}

 	return (PAM_AUTH_ERR);