2013-09-19 06:09:33 +02:00
|
|
|
# new option UsePAMCheckLocks to enforce checking for locked accounts while
|
|
|
|
|
# UsePAM is used
|
|
|
|
|
# bnc#708678, FATE#312033
|
|
|
|
|
|
2016-01-21 08:28:30 +01:00
|
|
|
Index: b/auth.c
|
|
|
|
|
===================================================================
|
|
|
|
|
--- a/auth.c
|
|
|
|
|
+++ b/auth.c
|
|
|
|
|
@@ -109,7 +109,7 @@ allowed_user(struct passwd * pw)
|
2013-09-19 06:09:33 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
#ifdef USE_SHADOW
|
|
|
|
|
- if (!options.use_pam)
|
|
|
|
|
+ if (!options.use_pam || options.use_pam_check_locks)
|
|
|
|
|
spw = getspnam(pw->pw_name);
|
|
|
|
|
#ifdef HAS_SHADOW_EXPIRE
|
|
|
|
|
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
2016-01-21 08:28:30 +01:00
|
|
|
@@ -129,7 +129,7 @@ allowed_user(struct passwd * pw)
|
2013-09-19 06:09:33 +02:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* check for locked account */
|
|
|
|
|
- if (!options.use_pam && passwd && *passwd) {
|
|
|
|
|
+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
|
|
|
|
|
int locked = 0;
|
|
|
|
|
|
|
|
|
|
#ifdef LOCKED_PASSWD_STRING
|
2016-01-21 08:28:30 +01:00
|
|
|
Index: b/servconf.c
|
|
|
|
|
===================================================================
|
|
|
|
|
--- a/servconf.c
|
|
|
|
|
+++ b/servconf.c
|
|
|
|
|
@@ -74,6 +74,7 @@ initialize_server_options(ServerOptions
|
2013-09-19 06:09:33 +02:00
|
|
|
|
|
|
|
|
/* Portable-specific options */
|
|
|
|
|
options->use_pam = -1;
|
|
|
|
|
+ options->use_pam_check_locks = -1;
|
|
|
|
|
|
|
|
|
|
/* Standard Options */
|
|
|
|
|
options->num_ports = 0;
|
2016-01-21 08:28:30 +01:00
|
|
|
@@ -187,6 +188,8 @@ fill_default_server_options(ServerOption
|
2013-09-19 06:09:33 +02:00
|
|
|
/* Portable-specific options */
|
|
|
|
|
if (options->use_pam == -1)
|
|
|
|
|
options->use_pam = 0;
|
|
|
|
|
+ if (options->use_pam_check_locks == -1)
|
|
|
|
|
+ options->use_pam_check_locks = 0;
|
|
|
|
|
|
|
|
|
|
/* Standard Options */
|
|
|
|
|
if (options->protocol == SSH_PROTO_UNKNOWN)
|
2016-01-21 08:28:30 +01:00
|
|
|
@@ -392,7 +395,7 @@ fill_default_server_options(ServerOption
|
2013-09-19 06:09:33 +02:00
|
|
|
typedef enum {
|
|
|
|
|
sBadOption, /* == unknown option */
|
|
|
|
|
/* Portable-specific options */
|
|
|
|
|
- sUsePAM,
|
|
|
|
|
+ sUsePAM, sUsePAMChecklocks,
|
|
|
|
|
/* Standard Options */
|
2016-01-21 08:28:30 +01:00
|
|
|
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
|
|
|
|
|
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
|
|
|
|
|
@@ -442,8 +445,10 @@ static struct {
|
2013-09-19 06:09:33 +02:00
|
|
|
/* Portable-specific options */
|
|
|
|
|
#ifdef USE_PAM
|
|
|
|
|
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
|
|
|
|
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
|
|
|
|
|
#else
|
|
|
|
|
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
|
|
|
|
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
|
|
|
|
|
#endif
|
|
|
|
|
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
|
|
|
|
/* Standard Options */
|
2016-01-21 08:28:30 +01:00
|
|
|
@@ -1004,6 +1009,9 @@ process_server_config_line(ServerOptions
|
2013-09-19 06:09:33 +02:00
|
|
|
case sUsePAM:
|
|
|
|
|
intptr = &options->use_pam;
|
|
|
|
|
goto parse_flag;
|
|
|
|
|
+ case sUsePAMChecklocks:
|
|
|
|
|
+ intptr = &options->use_pam_check_locks;
|
|
|
|
|
+ goto parse_flag;
|
|
|
|
|
|
|
|
|
|
/* Standard Options */
|
|
|
|
|
case sBadOption:
|
2016-01-21 08:28:30 +01:00
|
|
|
Index: b/servconf.h
|
|
|
|
|
===================================================================
|
|
|
|
|
--- a/servconf.h
|
|
|
|
|
+++ b/servconf.h
|
|
|
|
|
@@ -173,6 +173,7 @@ typedef struct {
|
2013-09-19 06:09:33 +02:00
|
|
|
char *adm_forced_command;
|
|
|
|
|
|
|
|
|
|
int use_pam; /* Enable auth via PAM */
|
|
|
|
|
+ int use_pam_check_locks; /* internally check for locked accounts even when using PAM */
|
|
|
|
|
|
|
|
|
|
int permit_tun;
|
|
|
|
|
|
2016-01-21 08:28:30 +01:00
|
|
|
Index: b/sshd_config.0
|
|
|
|
|
===================================================================
|
|
|
|
|
--- a/sshd_config.0
|
|
|
|
|
+++ b/sshd_config.0
|
|
|
|
|
@@ -950,6 +950,14 @@ DESCRIPTION
|
2013-09-19 06:09:33 +02:00
|
|
|
If UsePAM is enabled, you will not be able to run sshd(8) as a
|
2016-01-21 08:28:30 +01:00
|
|
|
non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
2013-09-19 06:09:33 +02:00
|
|
|
|
|
|
|
|
+ UsePAMCheckLocks
|
|
|
|
|
+ When set to ``yes'', the checks whether the account has been
|
|
|
|
|
+ locked with `passwd -l' are performed even when PAM authentication
|
|
|
|
|
+ is enabled via UsePAM. This is to ensure that it is not possible
|
|
|
|
|
+ to log in with e.g. a public key (in such a case PAM is used only
|
|
|
|
|
+ to set up the session and some PAM modules will not check whether
|
|
|
|
|
+ the account is locked in this scenario). The default is ``no''.
|
|
|
|
|
+
|
|
|
|
|
UsePrivilegeSeparation
|
|
|
|
|
Specifies whether sshd(8) separates privileges by creating an
|
|
|
|
|
unprivileged child process to deal with incoming network traffic.
|
2016-01-21 08:28:30 +01:00
|
|
|
Index: b/sshd_config.5
|
|
|
|
|
===================================================================
|
|
|
|
|
--- a/sshd_config.5
|
|
|
|
|
+++ b/sshd_config.5
|
|
|
|
|
@@ -1574,6 +1574,18 @@ is enabled, you will not be able to run
|
2013-09-19 06:09:33 +02:00
|
|
|
as a non-root user.
|
|
|
|
|
The default is
|
|
|
|
|
.Dq no .
|
|
|
|
|
+.It Cm UsePAMCheckLocks
|
|
|
|
|
+When set to
|
|
|
|
|
+.Dq yes
|
|
|
|
|
+, the checks whether the account has been locked with
|
|
|
|
|
+.Pa passwd -l
|
|
|
|
|
+are performed even when PAM authentication is enabled via
|
|
|
|
|
+.Cm UsePAM .
|
|
|
|
|
+This is to ensure that it is not possible to log in with e.g. a
|
|
|
|
|
+public key (in such a case PAM is used only to set up the session and some PAM
|
|
|
|
|
+modules will not check whether the account is locked in this scenario). The
|
|
|
|
|
+default is
|
|
|
|
|
+.Dq no .
|
|
|
|
|
.It Cm UsePrivilegeSeparation
|
|
|
|
|
Specifies whether
|
|
|
|
|
.Xr sshd 8
|
