From owner-freebsd-bugs@FreeBSD.ORG Tue Oct 28 13:07:41 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6DAAD3B2 for ; Tue, 28 Oct 2014 13:07:41 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 390EF933 for ; Tue, 28 Oct 2014 13:07:41 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s9SD7fKi007758 for ; Tue, 28 Oct 2014 13:07:41 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 194604] [libpam] [patch] pam_unix doesn't allow validation of own password Date: Tue, 28 Oct 2014 13:07:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: conrad.meyer@isilon.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2014 13:07:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D194604 --- Comment #8 from Conrad Meyer --- (In reply to Dag-Erling Sm=C3=83=C2=B8rgrav from comment #7) > If you feel like writing your own version and are comfortable releasing it > under the three-clause BSD license, I may include it in OpenPAM. Sure. The helper source file in the attached patch is 2-clause BSD; 3-claus= e is fine. (The attached patch also has one manual page derived from Linux-PAM, which is 3-clause BSD.) > It won't > be available in FreeBSD until 10.2 at the earliest, more likely 11, but we > can easily make a port to install it on systems that don't have it in bas= e. CURRENT is what I care about, that is fine. > BTW, this My initial patch, kcheckpass, or something else you're proposing? > is vastly more flexible than the Linux-PAM solution, as the latter > will only work for users with traditional password hashes available throu= gh > NSS, not for users who authenticate through Kerberos, RADIUS or some other > remote method. If we're talking about the attached patch, it only modifies pam_unix and on= ly checks for passwords available through getpwnam(3). My read of that man page was that it was only for local hashes. And of course, if a pam_unix is disabled in a PAM configuration, it won't be run at all which may be surprising if it is expected to check remote passwo= rds. I'm happy to rework this in another way! Just let me know how you would lik= e it to look and function, or anything I can do to help. Thanks. --=20 You are receiving this mail because: You are the assignee for the bug.=