[linux-pam] #61: pam_ftp 'users=' can only accept one user account
by fedora-badges
#61: pam_ftp 'users=' can only accept one user account
----------------------+------------------------------
Reporter: purecfs | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: | Keywords: pam_ftp
Blocked By: | Blocking:
----------------------+------------------------------
While the documentation says that for the pam_ftp module, multiple
"anonymous" users can be defined separated by a comma. However, in
practice this fails because PAM_USER is changed from the username to the
user name list specified causing subsequent modules to fail (like
pam_unix).
Here's a fix:
{{{
--- Linux-PAM-1.3.0-orig/modules/pam_ftp/pam_ftp.c 2016-05-24
14:33:39.000000000 -0700
+++ Linux-PAM-1.3.0/modules/pam_ftp/pam_ftp.c 2016-05-24
14:33:56.000000000 -0700
@@ -86,7 +86,6 @@
while (list_copy && (l = strtok_r(x, ",", &sptr))) {
x = NULL;
if (!strcmp(name, l)) {
- *_user = list;
anon = 1;
}
}
}}}
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/61>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
7 years, 6 months
Fix for ticket 61
by Tomas Mraz
I'm reposting the patch with the fix for ticket 61 here. Basically we
need to use the first user name from the list and not the whole list.
OK to commit?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
7 years, 8 months
[linux-pam] #63: Lower severity levels of two syslog messages
by fedora-badges
#63: Lower severity levels of two syslog messages
---------------------+------------------------------
Reporter: quabla | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: 1.2.x | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
Partially, I have reported this to OpenSSH [1] before, since the messages
appear in syslog from using sshd.
Most of the pam_syslog calls are done if something fails (malloc,
conversation, config) and have priority LOG_ERR or LOG_CRIT. That is
perfectly fine.
However, a few messages with high severity appear in normal operation of
the sshd with pam_unix. That suggest, that they are not severe at all.
Let's look at them by the assigned priority:
1 Alert: action must be taken immediately
- PAM service(sshd) ignoring max retries; 5 > 3
It seems this messages could be suppressed in sshd [2]. However, there is
no problem in ignoring max retries. I am suggesting priority LOG_INFO.
4 Warning: warning conditions
- pam_unix(sshd:auth): check pass; user unknown
That happens frequently on world facing systems and it's not an error in
the usage of pam. Also this cannot be suppressed by sshd. Suggesting
LOG_INFO.
[1]: <https://bugzilla.mindrot.org/show_bug.cgi?id=2585>
"Several syslog messages have too high priority"
[2]: <https://bugzilla.mindrot.org/show_bug.cgi?id=2249>
"sshd ignores PAM_MAXRETRIES pam return value"
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/63>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
7 years, 10 months
Syslog loglevel cleanup
by Tomas Mraz
In the attached patch I've attempted to clean up the log levels used a
little bit. I am not saying these are all the changes that could/should
be done but we can start with this patch. So please review only these
changes for now and additional changes can be done in further patches.
I tried to follow the MWG - memory allocation errors should be LOG_CRIT
and errors induced by the authenticating user should be LOG_NOTICE. For
the rest I just tried to somehow make them more reasonable. Mostly I am
lowering the level but there are some cases where the level is raised
too.
It also addresses the https://fedorahosted.org/linux-pam/ticket/63
Please review,
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
7 years, 10 months
Re: [linux-pam] pam_timestamp: fix typo in strncmp usage
by Dmitry V. Levin
On Tue, Jun 14, 2016 at 11:22:31PM +0000, Dmitry V. Levin wrote:
> commit dce30cd7a07523b0937e7a2cbb83fe744bdbfcf0
> Author: Dmitry V. Levin <ldv(a)altlinux.org>
> Date: Tue Jun 14 23:03:13 2016 +0000
>
> pam_timestamp: fix typo in strncmp usage
>
> Before this fix, a typo in check_login_time resulted to ruser and
> struct utmp.ut_user being compared by the first character only,
> which in turn could lead to a too low timestamp value being assigned
> to oldest_login, effectively causing bypass of check_login_time.
>
> * modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo
> in strncmp usage.
>
> Patch-by: Anton V. Boyarshinov <boyarsh(a)altlinux.org>
>
> modules/pam_timestamp/pam_timestamp.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
> ---
> diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
> index b18efdf..aa8e781 100644
> --- a/modules/pam_timestamp/pam_timestamp.c
> +++ b/modules/pam_timestamp/pam_timestamp.c
> @@ -211,7 +211,7 @@ check_login_time(const char *ruser, time_t timestamp)
> if (ut->ut_type != USER_PROCESS) {
> continue;
> }
> - if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user) != 0)) {
> + if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user)) != 0) {
> continue;
> }
> if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) {
Looks like check_login_time is a hardening check, so security implications
of this bug aren't obvious.
--
ldv
7 years, 11 months
[linux-pam] #62: merge pam_faillock
by fedora-badges
#62: merge pam_faillock
--------------------------+------------------------------
Reporter: jnewton | Owner: pam-developers@…
Type: enhancement | Status: new
Priority: minor | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
--------------------------+------------------------------
I've spoken with the author of pam_faillock and I believe it to be
superior to pam_tally2, particularly concerning handling of
screensaver handling - so much so in addition to the following, that I've
requested my own distribution choice, opensuse/SUSE to incorporate the
module as well.
pam_faillock is part of the recommended RHEL configuration for secured
computers and holding out for pam_tally2 also presents a nasty
non-uniformity for nearly the same functionality (although, pam_tally2
doesn't work for screensavers). This can thus make it an issue to have an
approved configuration the scrutiny of security folks.
I've asked the author, Tomas Mraz, to make the patch available
standalone - which he has provided here for other users/distributions to
consider:
http://people.redhat.com/tmraz/pam_faillock/
But I think this should just go into master at this point.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/62>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
7 years, 11 months
