From owner-freebsd-current  Sat Apr 28  5: 9:48 2001
Delivered-To: freebsd-current@freebsd.org
Received: from gratis.grondar.za (grouter.grondar.za [196.7.18.65])
	by hub.freebsd.org (Postfix) with ESMTP id 452E037B422
	for <current@FreeBSD.org>; Sat, 28 Apr 2001 05:09:41 -0700 (PDT)
	(envelope-from mark@grondar.za)
Received: from grondar.za (gratis.grondar.za [196.7.18.133])
	by gratis.grondar.za (8.11.3/8.11.3) with ESMTP id f3SC9Jp13097;
	Sat, 28 Apr 2001 14:09:21 +0200 (SAST)
	(envelope-from mark@grondar.za)
Message-Id: <200104281209.f3SC9Jp13097@gratis.grondar.za>
To: Bruce Evans <bde@zeta.org.au>
Cc: current@FreeBSD.org
Subject: Re: PAMmed su still broken for passwordless accounts 
References: <Pine.BSF.4.21.0104282059580.9562-100000@besplex.bde.org> 
In-Reply-To: <Pine.BSF.4.21.0104282059580.9562-100000@besplex.bde.org> ; from Bruce Evans <bde@zeta.org.au>  "Sat, 28 Apr 2001 21:50:33 +1000."
Date: Sat, 28 Apr 2001 14:10:52 +0200
From: Mark Murray <mark@grondar.za>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> > Feature, not bug. PAM has been told to use "unix" authentication.
> 
> The bug turns out to be that PAM shouldn't have been told this.  The
> non-PAM case uses the following check to avoid checking for passwords
> on passwordless accounts:
> ---
> 		/* if target requires a password, verify it */
> 		if (*pwd->pw_passwd) {
> ---
> but the PAM case always calls pam_authenticate() (for non-root).

Right. To avoid a pam/other "turf" fight. I'll do the above until we
can fix the pams to allow a 'if no password, let him in' mode for
the pam_unix module.

> The first form is equivalent to making all accounts passwordless.  I don't
> see how changing the third word could affect this.

Er, yes :-) 

The pam modules need a mode for this. I'll do that.

> login(1) uses the same configuration as su(1) in pam.conf but handles
> passwordless accounts correctly.  In login.c, most of the complications
> for PAM authorization are in the auth_pam() function, and "goto
> ttycheck;" skips over all types of authorization when there is no
> password.  The corresponding code in su.c is a tangle of ifdefs and
> large inline code for PAM authorization.

I need to take out some of that #ifdef hell. For one, KERBEROS is no
longer needed. (fixed locally). WHEELSU needs to be properly documented.

M
-- 
Mark Murray
Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message