Date: Wed, 23 Jul 2014 10:42:11 -0700 From: Arthur Mesh <amesh@juniper.net> To: <arch@freebsd.org> Subject: pam_lastlog Message-ID: <20140723174211.GQ57013@juniper.net>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Greetings,
At Juniper Networks, we have a concept of "template" system users, where
actual users of the system are defined on remote authentication servers
such as Radius or Tacacs+. These users are mapped to a single locally
defined user (called template user). Such mapping makes it easier for
sysadmins to manage large amount of deployed systems, etc using readily
available RADIUS/TACACS+ deployments.
Most of the glue to make this 1:N mapping work is done via various
changes to various PAM modules. While reading some existing PAM modules
used by FreeBSD, we came across pam_lastlog.so (session management
module responsible for updating accounting database (utmpx)) that does
something curious.
Prior to doing its thing, pam_lastlog always ensures that the username in
question exists in the password database. Given that session management
happens only after authentication (pam_authenticate(3)) has succeeded
and account has been validated (pam_acct_mgmt(3)), this seems like a
layering violation. Thoughts?
Here is a proposed change where that adds a knob to disable this lookup:
Index: lib/libpam/modules/pam_lastlog/pam_lastlog.8
===================================================================
--- lib/libpam/modules/pam_lastlog/pam_lastlog.8 (revision 282460)
+++ lib/libpam/modules/pam_lastlog/pam_lastlog.8 (working copy)
@@ -81,6 +81,8 @@
suppress warning messages to the user.
.It Cm no_fail
Ignore I/O failures.
+.It Cm no_user_lookup
+Skip looking up user account.
.El
.Sh SEE ALSO
.Xr last 1 ,
Index: lib/libpam/modules/pam_lastlog/pam_lastlog.c
===================================================================
--- lib/libpam/modules/pam_lastlog/pam_lastlog.c (revision 282460)
+++ lib/libpam/modules/pam_lastlog/pam_lastlog.c (working copy)
@@ -68,7 +68,6 @@
pam_sm_open_session(pam_handle_t *pamh, int flags,
int argc __unused, const char *argv[] __unused)
{
- struct passwd *pwd;
struct utmpx *utx, utl;
time_t t;
const char *user;
@@ -79,8 +78,11 @@
pam_err = pam_get_user(pamh, &user, NULL);
if (pam_err != PAM_SUCCESS)
return (pam_err);
- if (user == NULL || (pwd = getpwnam(user)) == NULL)
+ if (user == NULL)
return (PAM_SERVICE_ERR);
+ if (openpam_get_option(pamh, "no_user_lookup") == NULL &&
+ getpwnam(user) == NULL)
+ return (PAM_SERVICE_ERR);
PAM_LOG("Got user: %s", user);
pam_err = pam_get_item(pamh, PAM_RHOST, &rhost);
--
Arthur Mesh <amesh@juniper.net>
Juniper Networks
+1 408 936-4968
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJTz/PzAAoJEO/ZUtudxDntv/4L/jOA4h8u9jPhpKvLt5+FWFGu
bts+CiYiwu3SUc5Dsd2y7pLfHTch4xQHXM1kC6MPbNC1rH6E+k6Ma7WNvanfomdq
mgZy+dLsjqyYVaSKTpvyVGEo/9jIpNUK/Y+vbBsJzqXBAqSmwY65sLPZVSjVs67u
EgCSIqS/B789tZuvDj43pRui2LYWKAy2eDhy6mU91EvFmIhGCiW3Bw8WkqWAIzuZ
0KAOO1fBMs2c1tZE7Gcy7FdEDwjhX8pX4WzWsLWMiRZ/eEYAMC+tVkx9+xIZegAc
p6PjIdDEkOe5ncm1OSUyFnC8qcGWHh0LL5jTjc8Dx02Jy0zlU630Dy82Pu4DgtC/
AKV0P9FdRmoc0iGFB9Ms6DG5GwOji/8mjGDttHlBL5S5RdUwCyGZKF9AFHDmceE3
ceNDrWFxqck9GwvBhqYRIQETK14p2El6RUaNnt9lpVty7S/ECklutcQ82STZ9+I6
r7i827rOSJxufhYQz9ujD6/e5Zka32KMDCZexRC21A==
=0l45
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140723174211.GQ57013>