Overview

File openssh-7.2p2-pam_check_locks.patch of Package openssh.29886

From 9cf0d040450e42746d727eb5b3d293bb8fddebf8 Mon Sep 17 00:00:00 2001
From: Old openssh patches <pcerny@suse.com>
Date: Tue, 25 Oct 2022 18:53:18 +0200
Subject: [PATCH] openssh-7.2p2-pam_check_locks

# HG changeset patch
# Parent  ac7f843cd7ebec413691d51823cdc67b611abdff
new option UsePAMCheckLocks to enforce checking for locked accounts while
UsePAM is used

bnc#708678, FATE#312033
---
 auth.c        |  4 ++--
 servconf.c    | 10 +++++++++-
 servconf.h    |  1 +
 sshd_config.0 |  8 ++++++++
 sshd_config.5 | 12 ++++++++++++
 5 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/auth.c b/auth.c
index 214c2c70..407f8ece 100644
--- a/auth.c
+++ b/auth.c
@@ -109,7 +109,7 @@ allowed_user(struct passwd * pw)
 		return 0;
 
 #ifdef USE_SHADOW
-	if (!options.use_pam)
+	if (!options.use_pam || options.use_pam_check_locks)
 		spw = getspnam(pw->pw_name);
 #ifdef HAS_SHADOW_EXPIRE
 	if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
@@ -129,7 +129,7 @@ allowed_user(struct passwd * pw)
 #endif
 
 	/* check for locked account */
-	if (!options.use_pam && passwd && *passwd) {
+	if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
 		int locked = 0;
 
 #ifdef LOCKED_PASSWD_STRING
diff --git a/servconf.c b/servconf.c
index 5b16c32a..cb1d93f9 100644
--- a/servconf.c
+++ b/servconf.c
@@ -74,6 +74,7 @@ initialize_server_options(ServerOptions *options)
 
 	/* Portable-specific options */
 	options->use_pam = -1;
+	options->use_pam_check_locks = -1;
 
 	/* Standard Options */
 	options->num_ports = 0;
@@ -200,6 +201,8 @@ fill_default_server_options(ServerOptions *options)
 	/* Portable-specific options */
 	if (options->use_pam == -1)
 		options->use_pam = 0;
+	if (options->use_pam_check_locks == -1)
+		options->use_pam_check_locks = 0;
 
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
@@ -396,7 +399,7 @@ fill_default_server_options(ServerOptions *options)
 typedef enum {
 	sBadOption,		/* == unknown option */
 	/* Portable-specific options */
-	sUsePAM,
+	sUsePAM, sUsePAMChecklocks,
 	/* Standard Options */
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
 	sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
@@ -446,8 +449,10 @@ static struct {
 	/* Portable-specific options */
 #ifdef USE_PAM
 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
+	{ "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
 #else
 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
+	{ "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
 #endif
 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
 	/* Standard Options */
@@ -1010,6 +1015,9 @@ process_server_config_line(ServerOptions *options, char *line,
 	case sUsePAM:
 		intptr = &options->use_pam;
 		goto parse_flag;
+	case sUsePAMChecklocks:
+		intptr = &options->use_pam_check_locks;
+		goto parse_flag;
 
 	/* Standard Options */
 	case sBadOption:
diff --git a/servconf.h b/servconf.h
index f4137af7..92f8f365 100644
--- a/servconf.h
+++ b/servconf.h
@@ -172,6 +172,7 @@ typedef struct {
 	char   *adm_forced_command;
 
 	int	use_pam;		/* Enable auth via PAM */
+	int	use_pam_check_locks;	/* internally check for locked accounts even when using PAM */
 
 	int	permit_tun;
 
diff --git a/sshd_config.0 b/sshd_config.0
index 7b5b29ed..5d664bab 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -951,6 +951,14 @@ DESCRIPTION
              If UsePAM is enabled, you will not be able to run sshd(8) as a
              non-root user.  The default is M-bM-^@M-^\noM-bM-^@M-^].
 
+     UsePAMCheckLocks
+             When set to ``yes'', the checks whether the account has been
+             locked with `passwd -l' are performed even when PAM authentication
+             is enabled via UsePAM.  This is to ensure that it is not possible
+             to log in with e.g. a public key (in such a case PAM is used only
+             to set up the session and some PAM modules will not check whether
+             the account is locked in this scenario). The default is ``no''.
+
      UsePrivilegeSeparation
              Specifies whether sshd(8) separates privileges by creating an
              unprivileged child process to deal with incoming network traffic.
diff --git a/sshd_config.5 b/sshd_config.5
index 0d8e5267..d819d9c2 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1583,6 +1583,18 @@ is enabled, you will not be able to run
 as a non-root user.
 The default is
 .Dq no .
+.It Cm UsePAMCheckLocks
+When set to 
+.Dq yes
+, the checks whether the account has been locked with
+.Pa passwd -l
+are performed even when PAM authentication is enabled via 
+.Cm UsePAM .
+This is to ensure that it is not possible to log in with e.g. a
+public key (in such a case PAM is used only to set up the session and some PAM
+modules will not check whether the account is locked in this scenario). The
+default is 
+.Dq no .
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Xr sshd 8
-- 
2.38.0
openSUSE Build Service is sponsored by
Places