Date: Sat, 3 Apr 2021 12:06:31 GMT From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: bfd8b9b826cb - main - pam: add option to not prompt for password if it's set to empty Message-ID: <202104031206.133C6VBK024511@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by trasz: URL: https://cgit.FreeBSD.org/src/commit/?id=bfd8b9b826cb302759ef48e7a5adfd0c260c82d8 commit bfd8b9b826cb302759ef48e7a5adfd0c260c82d8 Author: Edward Tomasz Napierala <trasz@FreeBSD.org> AuthorDate: 2021-04-03 12:01:45 +0000 Commit: Edward Tomasz Napierala <trasz@FreeBSD.org> CommitDate: 2021-04-03 12:05:50 +0000 pam: add option to not prompt for password if it's set to empty Add a new option to pam_unix(8), "emptyok", which makes it not prompt for password, if it's set to an empty one. It is similar to "nullok", which makes it not prompt for password if the hash itself is empty. Reviewed By: markj Sponsored By: NetApp, Inc. Sponsored By: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D27569 --- lib/libpam/libpam/security/pam_mod_misc.h | 1 + lib/libpam/modules/pam_unix/pam_unix.8 | 12 +++++++++++- lib/libpam/modules/pam_unix/pam_unix.c | 10 ++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/libpam/libpam/security/pam_mod_misc.h b/lib/libpam/libpam/security/pam_mod_misc.h index 08c9c1ab8f56..ff0cdc2dc8ea 100644 --- a/lib/libpam/libpam/security/pam_mod_misc.h +++ b/lib/libpam/libpam/security/pam_mod_misc.h @@ -37,6 +37,7 @@ * Common option names */ #define PAM_OPT_NULLOK "nullok" +#define PAM_OPT_EMPTYOK "emptyok" #define PAM_OPT_AUTH_AS_SELF "auth_as_self" #define PAM_OPT_ECHO_PASS "echo_pass" #define PAM_OPT_DEBUG "debug" diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8 index 1345e82296c0..03f8feaf4ba9 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.8 +++ b/lib/libpam/modules/pam_unix/pam_unix.8 @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 20, 2009 +.Dd April 3, 2020 .Dt PAM_UNIX 8 .Os .Sh NAME @@ -116,6 +116,16 @@ privileges), the option may cause .Nm to allow any user to log in with any password. +.It Cm emptyok +If the password database contains the password for the entity being +authenticated, but the password matches an empty string, +then this option will forgo password prompting, and +silently allow authentication to succeed. +.Pp +The difference between this and +.Cm nullok +is that it avoids prompting for password when the password is set +to an empty string, as opposed to not being set. .It Cm local_pass Use only the local password database, even if NIS is in use. This will cause an authentication failure if the system is configured diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index ecdd10772155..29588f0af1ea 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -94,6 +94,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, struct passwd *pwd; int retval; const char *pass, *user, *realpw, *prompt; + const char *emptypasswd = ""; if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { user = getlogin(); @@ -116,6 +117,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Password is empty, using fake password"); realpw = "*"; } + /* + * Check whether the saved password hash matches the one + * generated from an empty password - as opposed to empty + * saved password hash, which is handled above. + */ + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + openpam_get_option(pamh, PAM_OPT_EMPTYOK) && + strcmp(crypt(emptypasswd, realpw), realpw) == 0) + return (PAM_SUCCESS); lc = login_getpwclass(pwd); } else { PAM_LOG("Doing dummy authentication");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104031206.133C6VBK024511>