Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 28 Apr 2001 14:10:52 +0200
From:      Mark Murray <mark@grondar.za>
To:        Bruce Evans <bde@zeta.org.au>
Cc:        current@FreeBSD.org
Subject:   Re: PAMmed su still broken for passwordless accounts 
Message-ID:  <200104281209.f3SC9Jp13097@gratis.grondar.za>
In-Reply-To: <Pine.BSF.4.21.0104282059580.9562-100000@besplex.bde.org> ; from Bruce Evans <bde@zeta.org.au>  "Sat, 28 Apr 2001 21:50:33 %2B1000."
References:  <Pine.BSF.4.21.0104282059580.9562-100000@besplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > Feature, not bug. PAM has been told to use "unix" authentication.
> 
> The bug turns out to be that PAM shouldn't have been told this.  The
> non-PAM case uses the following check to avoid checking for passwords
> on passwordless accounts:
> ---
> 		/* if target requires a password, verify it */
> 		if (*pwd->pw_passwd) {
> ---
> but the PAM case always calls pam_authenticate() (for non-root).

Right. To avoid a pam/other "turf" fight. I'll do the above until we
can fix the pams to allow a 'if no password, let him in' mode for
the pam_unix module.

> The first form is equivalent to making all accounts passwordless.  I don't
> see how changing the third word could affect this.

Er, yes :-) 

The pam modules need a mode for this. I'll do that.

> login(1) uses the same configuration as su(1) in pam.conf but handles
> passwordless accounts correctly.  In login.c, most of the complications
> for PAM authorization are in the auth_pam() function, and "goto
> ttycheck;" skips over all types of authorization when there is no
> password.  The corresponding code in su.c is a tangle of ifdefs and
> large inline code for PAM authorization.

I need to take out some of that #ifdef hell. For one, KERBEROS is no
longer needed. (fixed locally). WHEELSU needs to be properly documented.

M
-- 
Mark Murray
Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104281209.f3SC9Jp13097>