File openssh-7.7p1-pam_check_locks.patch of Package openssh

# HG changeset patch
# Parent  089f4fba0112d410a1bfa74398941f076681d446
new option UsePAMCheckLocks to enforce checking for locked accounts while
UsePAM is used

bnc#708678, FATE#312033

Index: openssh-8.8p1/auth.c
===================================================================
--- openssh-8.8p1.orig/auth.c
+++ openssh-8.8p1/auth.c
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
 	if (!pw || !pw->pw_name)
 		return 0;
 
-	if (!options.use_pam && platform_locked_account(pw)) {
+	if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) {
 		logit("User %.100s not allowed because account is locked",
 		    pw->pw_name);
 		return 0;
#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
# #endif
# 
# 	/* check for locked account */
#-	if (!options.use_pam && passwd && *passwd) {
#+	if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
# 		int locked = 0;
# 
# #ifdef LOCKED_PASSWD_STRING
Index: openssh-8.8p1/servconf.c
===================================================================
--- openssh-8.8p1.orig/servconf.c
+++ openssh-8.8p1/servconf.c
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
 	/* Portable-specific options */
 	options->use_pam = -1;
 	options->pam_service_name = NULL;
+	options->use_pam_check_locks = -1;
 
 	/* Standard Options */
 	options->num_ports = 0;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
 		options->use_pam = 0;
 	if (options->pam_service_name == NULL)
 		options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
+	if (options->use_pam_check_locks == -1)
+		options->use_pam_check_locks = 0;
 
 	/* Standard Options */
 	if (options->num_host_key_files == 0) {
@@ -485,7 +488,7 @@ fill_default_server_options(ServerOption
 typedef enum {
 	sBadOption,		/* == unknown option */
 	/* Portable-specific options */
-	sUsePAM, sPAMServiceName,
+	sUsePAM, sPAMServiceName, sUsePAMChecklocks,
 	/* Standard Options */
 	sPort, sHostKeyFile, sLoginGraceTime,
 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
@@ -535,9 +538,11 @@ static struct {
 #ifdef USE_PAM
 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
 	{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
+	{ "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
 #else
 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
 	{ "pamservicename", sUnsupported, SSHCFG_ALL },
+	{ "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
 #endif
 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
 	/* Standard Options */
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
 		if (*activep && *charptr == NULL)
 			*charptr = xstrdup(arg);
 		break;
+	case sUsePAMChecklocks:
+		intptr = &options->use_pam_check_locks;
+		goto parse_flag;
 
 	/* Standard Options */
 	case sBadOption:
Index: openssh-8.8p1/servconf.h
===================================================================
--- openssh-8.8p1.orig/servconf.h
+++ openssh-8.8p1/servconf.h
@@ -200,6 +200,7 @@ typedef struct {
 
 	int	use_pam;		/* Enable auth via PAM */
	char   *pam_service_name;
+	int	use_pam_check_locks;	/* internally check for locked accounts even when using PAM */
 
 	int	permit_tun;
 
Index: openssh-8.8p1/sshd_config.0
===================================================================
--- openssh-8.8p1.orig/sshd_config.0
+++ openssh-8.8p1/sshd_config.0
@@ -1074,6 +1074,14 @@ DESCRIPTION
              If UsePAM is enabled, you will not be able to run sshd(8) as a
              non-root user.  The default is no.
 
+     UsePAMCheckLocks
+             When set to ``yes'', the checks whether the account has been
+             locked with `passwd -l' are performed even when PAM authentication
+             is enabled via UsePAM.  This is to ensure that it is not possible
+             to log in with e.g. a public key (in such a case PAM is used only
+             to set up the session and some PAM modules will not check whether
+             the account is locked in this scenario). The default is ``no''.
+
      VersionAddendum
              Optionally specifies additional text to append to the SSH
              protocol banner sent by the server upon connection.  The default
Index: openssh-8.8p1/sshd_config.5
===================================================================
--- openssh-8.8p1.orig/sshd_config.5
+++ openssh-8.8p1/sshd_config.5
@@ -1775,6 +1775,18 @@ is enabled, you will not be able to run
 as a non-root user.
 The default is
 .Cm no .
+.It Cm UsePAMCheckLocks
+When set to 
+.Dq yes
+, the checks whether the account has been locked with
+.Pa passwd -l
+are performed even when PAM authentication is enabled via 
+.Cm UsePAM .
+This is to ensure that it is not possible to log in with e.g. a
+public key (in such a case PAM is used only to set up the session and some PAM
+modules will not check whether the account is locked in this scenario). The
+default is 
+.Dq no .
 .It Cm VersionAddendum
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
openSUSE Build Service is sponsored by