MFC:
pam_unix.c 1.52 pam_unix.8 1.13 In account management, verify whether the account has been locked with `pw lock', so that it's impossible to log into a locked account using an alternative authentication mechanism, such as an ssh key. This change affects only accounts locked with pw(8), i.e., having a `*LOCKED*' prefix in their password hash field, so people still can use a different pattern to disable password authentication only. Mention all account management criteria in the manpage. PR: bin/71147
This commit is contained in:
yar
parent
60df5c757c
commit
3cb34a2f46
@ -34,7 +34,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd October 12, 2006
|
||||
.Dd March 27, 2007
|
||||
.Dt PAM_UNIX 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -142,8 +142,20 @@ provides a function to perform account management,
|
||||
.Fn pam_sm_acct_mgmt .
|
||||
The function verifies
|
||||
that the authenticated user
|
||||
is allowed to login to the local user account
|
||||
by checking the password expiry date.
|
||||
is allowed to log into the local user account
|
||||
by checking the following criteria:
|
||||
.Bl -dash -offset indent
|
||||
.It
|
||||
locked status of the account compatible with
|
||||
.Xr pw 8
|
||||
.Cm lock ;
|
||||
.It
|
||||
the password expiry date from
|
||||
.Xr passwd 5 ;
|
||||
.It
|
||||
.Xr login.conf 5
|
||||
restrictions on the remote host, login time, and tty.
|
||||
.El
|
||||
.Pp
|
||||
The following options may be passed to the management module:
|
||||
.Bl -tag -width ".Cm use_first_pass"
|
||||
@ -199,4 +211,5 @@ password database.
|
||||
.Xr nsswitch.conf 5 ,
|
||||
.Xr passwd 5 ,
|
||||
.Xr pam 8 ,
|
||||
.Xr pw 8 ,
|
||||
.Xr yp 8
|
||||
|
||||
@ -70,6 +70,9 @@ __FBSDID("$FreeBSD$");
|
||||
#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
|
||||
#define SALTSIZE 32
|
||||
|
||||
#define LOCKED_PREFIX "*LOCKED*"
|
||||
#define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1)
|
||||
|
||||
static void makesalt(char []);
|
||||
|
||||
static char password_hash[] = PASSWORD_HASH;
|
||||
@ -176,6 +179,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
|
||||
(flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
|
||||
return (PAM_NEW_AUTHTOK_REQD);
|
||||
|
||||
if (strncmp(pwd->pw_passwd, LOCKED_PREFIX, LOCKED_PREFIX_LEN) == 0)
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
lc = login_getpwclass(pwd);
|
||||
if (lc == NULL) {
|
||||
PAM_LOG("Unable to get login class for user %s", user);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user