From owner-dev-commits-src-main@freebsd.org Sat Apr 3 12:06:32 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 399785B315B; Sat, 3 Apr 2021 12:06:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FCFyJ1B6Pz3v8f; Sat, 3 Apr 2021 12:06:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1AC5512CDC; Sat, 3 Apr 2021 12:06:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 133C6WF1024512; Sat, 3 Apr 2021 12:06:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 133C6VBK024511; Sat, 3 Apr 2021 12:06:31 GMT (envelope-from git) Date: Sat, 3 Apr 2021 12:06:31 GMT Message-Id: <202104031206.133C6VBK024511@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Edward Tomasz Napierala Subject: git: bfd8b9b826cb - main - pam: add option to not prompt for password if it's set to empty MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: trasz X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: bfd8b9b826cb302759ef48e7a5adfd0c260c82d8 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Apr 2021 12:06:32 -0000 The branch main has been updated by trasz: URL: https://cgit.FreeBSD.org/src/commit/?id=bfd8b9b826cb302759ef48e7a5adfd0c260c82d8 commit bfd8b9b826cb302759ef48e7a5adfd0c260c82d8 Author: Edward Tomasz Napierala AuthorDate: 2021-04-03 12:01:45 +0000 Commit: Edward Tomasz Napierala CommitDate: 2021-04-03 12:05:50 +0000 pam: add option to not prompt for password if it's set to empty Add a new option to pam_unix(8), "emptyok", which makes it not prompt for password, if it's set to an empty one. It is similar to "nullok", which makes it not prompt for password if the hash itself is empty. Reviewed By: markj Sponsored By: NetApp, Inc. Sponsored By: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D27569 --- lib/libpam/libpam/security/pam_mod_misc.h | 1 + lib/libpam/modules/pam_unix/pam_unix.8 | 12 +++++++++++- lib/libpam/modules/pam_unix/pam_unix.c | 10 ++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/libpam/libpam/security/pam_mod_misc.h b/lib/libpam/libpam/security/pam_mod_misc.h index 08c9c1ab8f56..ff0cdc2dc8ea 100644 --- a/lib/libpam/libpam/security/pam_mod_misc.h +++ b/lib/libpam/libpam/security/pam_mod_misc.h @@ -37,6 +37,7 @@ * Common option names */ #define PAM_OPT_NULLOK "nullok" +#define PAM_OPT_EMPTYOK "emptyok" #define PAM_OPT_AUTH_AS_SELF "auth_as_self" #define PAM_OPT_ECHO_PASS "echo_pass" #define PAM_OPT_DEBUG "debug" diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8 index 1345e82296c0..03f8feaf4ba9 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.8 +++ b/lib/libpam/modules/pam_unix/pam_unix.8 @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 20, 2009 +.Dd April 3, 2020 .Dt PAM_UNIX 8 .Os .Sh NAME @@ -116,6 +116,16 @@ privileges), the option may cause .Nm to allow any user to log in with any password. +.It Cm emptyok +If the password database contains the password for the entity being +authenticated, but the password matches an empty string, +then this option will forgo password prompting, and +silently allow authentication to succeed. +.Pp +The difference between this and +.Cm nullok +is that it avoids prompting for password when the password is set +to an empty string, as opposed to not being set. .It Cm local_pass Use only the local password database, even if NIS is in use. This will cause an authentication failure if the system is configured diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index ecdd10772155..29588f0af1ea 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -94,6 +94,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, struct passwd *pwd; int retval; const char *pass, *user, *realpw, *prompt; + const char *emptypasswd = ""; if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { user = getlogin(); @@ -116,6 +117,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Password is empty, using fake password"); realpw = "*"; } + /* + * Check whether the saved password hash matches the one + * generated from an empty password - as opposed to empty + * saved password hash, which is handled above. + */ + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + openpam_get_option(pamh, PAM_OPT_EMPTYOK) && + strcmp(crypt(emptypasswd, realpw), realpw) == 0) + return (PAM_SUCCESS); lc = login_getpwclass(pwd); } else { PAM_LOG("Doing dummy authentication");