sys-auth/pambase: Fall back to pam_deny in auth

Setting pam_unix and pam_sss to sufficient means that if both fail,
control will be passed to the following pam module. If this is
pam_permit then permission will be granted even if the previous modules
failed. Switch to pam_deny and require it rather than permitting it to
be optional - if sss or unix succeed, we'll jump out before we get to
this point.
This commit is contained in:
Matthew Garrett 2016-05-15 21:04:25 -07:00
parent 4a94f04736
commit 3865f77ecd
2 changed files with 17 additions and 13 deletions

View File

@ -1,7 +1,7 @@
diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in
--- pambase-20140313.orig/system-auth.in 2014-03-13 07:13:15.000000000 -0700
+++ pambase-20140313/system-auth.in 2016-05-02 12:57:35.437730031 -0700
@@ -7,7 +7,8 @@
diff -ur pambase-20120417.orig/system-auth.in pambase-20120417/system-auth.in
--- pambase-20120417.orig/system-auth.in 2016-05-15 21:01:29.705547981 -0700
+++ pambase-20120417/system-auth.in 2016-05-15 21:03:08.134220108 -0700
@@ -7,14 +7,16 @@
#if HAVE_KRB5
auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS
#endif
@ -9,17 +9,18 @@ diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in
+auth sufficient pam_sss.so use_first_pass
+auth sufficient pam_unix.so try_first_pass LIKEAUTH nullok DEBUG
/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
auth optional pam_permit.so
-auth optional pam_permit.so
+auth required pam_deny.so
@@ -16,6 +17,7 @@
#if HAVE_KRB5
account KRB5_CONTROL pam_krb5.so KRB5_PARAMS
#endif
account required pam_unix.so DEBUG
/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
+account sufficient pam_sss.so
/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
account optional pam_permit.so
#if HAVE_CRACKLIB
@@ -27,7 +29,8 @@
@@ -27,9 +29,10 @@
#if HAVE_KRB5
password KRB5_CONTROL pam_krb5.so KRB5_PARAMS
#endif
@ -27,11 +28,14 @@ diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in
+password sufficient pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG
+password sufficient pam_sss.so use_authtok
/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
password optional pam_permit.so
-password optional pam_permit.so
+password required pam_deny.so
diff -ur pambase-20140313.orig/system-session.inc pambase-20140313/system-session.inc
--- pambase-20140313.orig/system-session.inc 2014-03-13 07:13:15.000000000 -0700
+++ pambase-20140313/system-session.inc 2016-05-02 12:57:59.723883487 -0700
#if HAVE_PAM_SSH
session optional pam_ssh.so
diff -ur pambase-20120417.orig/system-session.inc pambase-20120417/system-session.inc
--- pambase-20120417.orig/system-session.inc 2012-03-20 11:10:47.000000000 -0700
+++ pambase-20120417/system-session.inc 2016-05-15 21:02:00.151753215 -0700
@@ -23,3 +23,4 @@
#endif