Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 28 Apr 2001 21:50:33 +1000 (EST)
From:      Bruce Evans <bde@zeta.org.au>
To:        Mark Murray <mark@grondar.za>
Cc:        current@FreeBSD.org
Subject:   Re: PAMmed su still broken for passwordless accounts 
Message-ID:  <Pine.BSF.4.21.0104282059580.9562-100000@besplex.bde.org>
In-Reply-To: <200104280901.f3S91Fp11808@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, 28 Apr 2001, Mark Murray wrote:

> > > 1) su on passwordless accounts.
> > >    (a) `su <passwordless>' now bogusly prompts for a password.  It lets
> > >        you in if you type an empty password.


         (a1) It also lets you in if you type garbage followed by a newline.

> > >    (b) `echo somecommand | su <passwordless>' now bogusly prompts for
> > >        a password.  su doesn't find a password, and exits without printing
> > >        anything or running `somecommand'.  I use the latter form a lot.
> 
> Feature, not bug. PAM has been told to use "unix" authentication.

The bug turns out to be that PAM shouldn't have been told this.  The
non-PAM case uses the following check to avoid checking for passwords
on passwordless accounts:
---
		/* if target requires a password, verify it */
		if (*pwd->pw_passwd) {
---
but the PAM case always calls pam_authenticate() (for non-root).

> You can override this by setting
> 
> su      auth    required        pam_permit.so
> 
> instead of
> 
> su     auth    required        pam_unix.so                     try_first_pass
> 
> in /etc/pam.conf.
> 
> For situations where some accounts have passwords and some don't, play
> with the third word - "required" may become "sufficient" etc.

The first form is equivalent to making all accounts passwordless.  I don't
see how changing the third word could affect this.

login(1) uses the same configuration as su(1) in pam.conf but handles
passwordless accounts correctly.  In login.c, most of the complications
for PAM authorization are in the auth_pam() function, and "goto
ttycheck;" skips over all types of authorization when there is no
password.  The corresponding code in su.c is a tangle of ifdefs and
large inline code for PAM authorization.

Bruce


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0104282059580.9562-100000>