nss-pam-ldapd commit: r1129 - in nss-pam-ldapd: man pam

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Commits of the nss-pam-ldapd project." <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: nss-pam-ldapd commit: r1129 - in nss-pam-ldapd: man pam
Date: Tue, 1 Jun 2010 22:24:25 +0200 (CEST)

Author: arthur
Date: Tue Jun  1 22:24:23 2010
New Revision: 1129
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1129

Log:
implement an nullok PAM option and disable empty passwords by default

Modified:
   nss-pam-ldapd/man/pam_ldap.8.xml
   nss-pam-ldapd/pam/pam.c

Modified: nss-pam-ldapd/man/pam_ldap.8.xml
==============================================================================
--- nss-pam-ldapd/man/pam_ldap.8.xml    Tue Jun  1 22:04:11 2010        (r1128)
+++ nss-pam-ldapd/man/pam_ldap.8.xml    Tue Jun  1 22:24:23 2010        (r1129)
@@ -90,6 +90,17 @@
    </varlistentry>
    <varlistentry>
     <term>
+     <option>nullok</option>
+    </term>
+    <listitem>
+     <para>
+      Specifying this option allows users to log in with a blank password.
+      Normally logins without a password are denied.
+     </para>
+    </listitem>
+   </varlistentry>
+   <varlistentry>
+    <term>
      <option>ignore_unknown_user</option>
     </term>
     <listitem>

Modified: nss-pam-ldapd/pam/pam.c
==============================================================================
--- nss-pam-ldapd/pam/pam.c     Tue Jun  1 22:04:11 2010        (r1128)
+++ nss-pam-ldapd/pam/pam.c     Tue Jun  1 22:24:23 2010        (r1129)
@@ -140,6 +140,7 @@
 struct pld_cfg {
   int use_first_pass;
   int try_first_pass;
+  int nullok;
   int no_warn;
   int ignore_unknown_user;
   int ignore_authinfo_unavail;
@@ -157,6 +158,7 @@
   /* initialise config with defaults */
   cfg->use_first_pass=0;
   cfg->try_first_pass=0;
+  cfg->nullok=0;
   cfg->no_warn=0;
   cfg->ignore_unknown_user=0;
   cfg->ignore_authinfo_unavail=0;
@@ -169,6 +171,8 @@
       cfg->use_first_pass=1;
     else if (strcmp(argv[i],"try_first_pass")==0)
       cfg->try_first_pass=1;
+    else if (strcmp(argv[i],"nullok")==0)
+      cfg->nullok=1;
     else if (strcmp(argv[i],"use_authtok")==0)
       /* ignore, this option is used by pam_get_authtok() internally */;
     else if (strcmp(argv[i],"no_warn")==0)
@@ -363,7 +367,13 @@
     rc=pam_get_item(pamh,PAM_AUTHTOK,(const void **)&passwd);
     if (rc!=PAM_SUCCESS)
       pam_syslog(pamh,LOG_ERR,"failed to get password: 
%s",pam_strerror(pamh,rc));
-    if (rc==PAM_SUCCESS)
+    else if (!cfg.nullok&&((passwd==NULL)||(passwd[0]=='\0')))
+    {
+      if (cfg.debug)
+        pam_syslog(pamh,LOG_DEBUG,"user has empty password, access denied");
+      rc=PAM_AUTH_ERR;
+    }
+    else
     {
       rc=nslcd_request_authc(pamh,ctx,&cfg,username,service,passwd);
       if (rc==PAM_SUCCESS)
@@ -557,6 +567,13 @@
       if (rc!=PAM_SUCCESS)
         return rc;
     }
+    /* check for empty password */
+    if (!cfg.nullok&&((oldpassword==NULL)||(oldpassword[0]=='\0')))
+    {
+      if (cfg.debug)
+        pam_syslog(pamh,LOG_DEBUG,"user has empty password, access denied");
+      rc=PAM_AUTH_ERR;
+    }
     /* try authenticating */
     rc=nslcd_request_authc(pamh,ctx,&cfg,username,service,oldpassword);
     if (rc==PAM_SUCCESS)
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits

nss-pam-ldapd commit: r1129 - in nss-pam-ldapd: man pam, Commits of the nss-pam-ldapd project.

Prev by Date: nss-pam-ldapd commit: r1128 - nss-pam-ldapd/pam
Next by Date: nss-pam-ldapd commit: r1130 - nss-pam-ldapd/nslcd
Previous by thread: nss-pam-ldapd commit: r1128 - nss-pam-ldapd/pam
Next by thread: nss-pam-ldapd commit: r1130 - nss-pam-ldapd/nslcd