From nobody Wed Apr 26 06:25:57 2023 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q5plw5y45z47Jq8 for ; Wed, 26 Apr 2023 06:26:04 +0000 (UTC) (envelope-from zmey20000@yahoo.com) Received: from sonic315-8.consmr.mail.gq1.yahoo.com (sonic315-8.consmr.mail.gq1.yahoo.com [98.137.65.32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q5plv6Q1Rz4Rxs for ; Wed, 26 Apr 2023 06:26:03 +0000 (UTC) (envelope-from zmey20000@yahoo.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yahoo.com header.s=s2048 header.b=AildxIbq; spf=pass (mx1.freebsd.org: domain of zmey20000@yahoo.com designates 98.137.65.32 as permitted sender) smtp.mailfrom=zmey20000@yahoo.com; dmarc=pass (policy=reject) header.from=yahoo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682490361; bh=0FRyLbhbQGwOqpaL/64S7VHJ8k3P1Mk5IgGtoYxXLIE=; h=Date:Subject:References:To:From:In-Reply-To:From:Subject:Reply-To; b=AildxIbqkYZoImoTzN0ikN1HG7tDoDh03Kkp9BMO2G/O1hBVhFCV6L6OWqRed0aGvIwXCrXKIzfxgPS4cRjwk8npk9wCRakJnBPxMliPEf7+rEEWP+3n06BrjoH9wgh1wIBDAJHgON0efisIGJo2KML5nEfoxH/paW8Ozj27qMYyj+rZfrfT2B4yQbzb9QXdx2yXFtns8AEpXsYv9cHLI9Gn1CONp8EvwkitCUlVahR9DzaHTOxza9u+/OcX+CwKT0Kmi7SYfbBO/DXKTdCJJTTtppmbYs9xR9ZL0VFHV54EyqkZ4RtiYdewR7sntz2Wwz652mi/AzVm9CbIZhKxZg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682490361; bh=NdMAFYo2qZE87Dt8FMZ+MtbxXavs3lPKOdjeebLWLTY=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=NleptvrQrL1JWbtybjJ1wOas2Vg+jMjCx2YjgOr4kQOeent74HNur09a0zvq7CV4YU5KAb7Sx9iLQbYxAWSVwkL+9V0deVO3FqSYTH+O0pPCHIQgBWjAvGs4Wo+i3WHuVIrxQpNYXPeCQfWtTr6J+EZeihAGm1gxADRhKM7SdL9DdCeO5W1srqytH8kBzhxbbZKGOb08UmiyHCEQRUTYJxutrkWAV6GZiRF14iUWHiG4viG7kK+qG7TMJF6t3XlJgDeTxdSVWHaL8Wcga0PiN4lKLy+rlPIZJF9NnUEZ4z8UoXhCS6ZMcxxG9Jytmy9MrvKXff8i6coSs1dkfaQGFQ== X-YMail-OSG: qUe0LcYVM1lzzTEphzow3uJNV7MISJW700DhDEf31CvN6KM.OUkKa_XoPYiIdK. zEARsrA_cI1lry83KvwImWOO7WzgRWOww97tw8.OOGa4FLROKm9b8We1MqskTXJM8eQggGkTQjdV fHEU3nYSdBgp6PMvFOM6JrXliIwG1ZSG0NQhSboAJQwBjXaR5SmXz5TjuKJe_PdE_RXY.JjpaM1K ycbRXm8XBFwAZ.ht1DD9i5ebYBOSJGnv88c.rj3rYMfp3NBG2oVISm2OdIjVKMiQlHI8xZRG6jko hrU3XyZEihgS.GPSW9pJ6PtGx5wiBI823mdtsL0yq2of8idKWzA1UoRMSN8IFzzOPYGBmUq6QW5h Vttw0w5D2x7wEJelSFI.HH2R2_IxnvhZ3NIrSIreBLNlWMJWJDCPBYOCGBEOlYiBl0dk0_7gybDV 8kOhhXERUjHYCwjPq9jMeRocKFpIdFYKnjisSsdEg741wvLHDKyOXNDjmdAjWqePioeVOfSyGWzx V5ob1hnEVP_VGMZFoOLd3pw8CITAN3p.3lOt1gmCV7J_d1y4CtK6slXhzkyA5yIgRYyhukG2lfOT WToUiFoXoK.qiQdggiV7KCpnKJQad6f1HPj7ullNexbNMghnlXsFU0tD4gtY69ed0VE4KRtYUHap 2qjRXOCYziegm4eOCu8Bh1_hzW.aLjhxZBM4YmezGNEjXM..RggzXjZBSYM_5PoxOq38JSZxMGip Oonqc8wDpUpmyKtU0h.vDQELceEMdbloVN2UQo177Mekzz15EO2EmmqWoJFOnaa0K62y_7vcJ4zW Ynik86FW9ra8u0WpbTe.w.k0wUvmV5aAqzYOGTHo3fzwC4jTZu.D40mocwmQ8akZBfkBPfuz8Mqf N.5DWeZmTJ0bLR8ftA6_AHLudjYM7UFXn.0m3y9mckZSPd6QGqvpR9FClSjOak1MrJEvrDsMMkHi z41BJvnioqeKCjOT_8AjdHW81Chri8vJHndFPtIbWqqd19jXfZcQdDu3o_dQH16GT1QQQCuofURT KPjp9U467f46XGvAhk3aUNSqKQ4m6GLgq0y56IQAUeFoBEA.MahJWcXRH4_V58ZlMzfFYddEkM7W FTAIAi.0Ljuky307PnKL_Klv7km570_piqcZEZXtFN0iYAq7tzoRqxEKBUNQ5N9PY1k1nYp7lvXz jtre26RNMkwHdz2gmz6GncehLGP1QR3iJqjCl51XRd.pxO0DQanurr_Gj7Fd0BNmqgsN5ebX.pwn oaccZqwqaUgxD3DGxz7EIhwfyhToDcfY76tM9e2tapwT7T6X.dGXON0a2qtkR0_sgVtgl0jzzU9N 8oZ1Ypv30THI6sjggplHj9ohKo_h_2aVDkb2hD_7i651AU0xdISiyjjGuwEvlmMtqRJ3ux0ywWG2 D9CXXs2yRvngMvqbHvT3aLP1vn9kZsjGjMot0IBd_qBeubcAxN12xdGizqM6VNkjXU0ENhMfhSZl XeZ7Rj0cR83CQVsi.JMYhotp1fHK6nKqUDis5t_Qv2cxbwh5FXKAyzJ0sYBXmNv89uV9xUhHKMPY tj37E0khkViuUOe0cZwL5AQFQRx3t9e7CwxY8AwXsVrGJhctLWwLx3j1xA6HdT1jF7Hz3W0Sd4S_ Z_zdNnb7aYWZU7N3gNU1.l34xlTuBunQQQQ89doIDEm8C2nDADklNuB0En2ZRB019FW8aWummea. txySHKd7tRtGTf7iIp5PCOmSelybGzgwbk5_rvPPlDeEEc05KnW.yKltKYTZNn.86adgq_QHuW_5 1e.zc1fAD7lq4zHofBHQPC_Q6BrIomR8OdICD0.Y5Al5LEe0rtvOrTmLMJIhM9IfDQOb2eSrrOKZ mRoNfZi52KPuj61RJlyNwxElbhPcQYNZ_E10UpOfL2TGylwRYNa4cqE33lSV3BGIVFiPrpF0cO_c eBgG6_R_xEi8EzqQHNBia9UxJz_P.OI7dWMUSyEZ4Tv3Ycf8fxFR7bM26OnHI8ll6RjGOa7kDfs9 mGmiJibmqAvSfzgmjoiL0XtxofS6NUGD_IF9MjFzOoJhN7_3kql4_G2QBZ8BdRMqHrNFTUqntdeT E35QKIuBfcJckSIv8pFuy7J0U1TJXCnpAz3xd8wMBYuFkbCJh3r5Yug7cYbKaLbf0kuoiV2feYRa tNCST0PDL20HTq2.WFTTt7X.ySOEjckJCvE3H4UBiTLchY.vvTxORz.4VKl9iZexsKWKyq5uhKsj Plhv7nFyxuDiiLUPbsC8- X-Sonic-MF: X-Sonic-ID: 8204c087-d218-470b-b403-fd0616668223 Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.gq1.yahoo.com with HTTP; Wed, 26 Apr 2023 06:26:01 +0000 Received: by hermes--production-ir2-74cd8fc864-jl5bm (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID b55be89a1255f7a079a37730ab5bea84; Wed, 26 Apr 2023 06:25:59 +0000 (UTC) Message-ID: <9e35b8cb-e5de-bdb5-c2da-cee44e18683c@yahoo.com> Date: Wed, 26 Apr 2023 08:25:57 +0200 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Fwd: Interacting with PAM issues Content-Language: en-US References: <31aa9f0f-44d9-fb61-2eb3-36af63ce9ed7@yahoo.com> To: freebsd-hackers@FreeBSD.org From: Mikhail Zakharov In-Reply-To: <31aa9f0f-44d9-fb61-2eb3-36af63ce9ed7@yahoo.com> X-Forwarded-Message-Id: <31aa9f0f-44d9-fb61-2eb3-36af63ce9ed7@yahoo.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: WebService/1.1.21417 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-Spamd-Result: default: False [-3.97 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.97)[-0.969]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[98.137.65.32:from]; DWL_DNSWL_NONE(0.00)[yahoo.com:dkim]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@FreeBSD.org]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[yahoo.com]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[yahoo.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:36647, ipnet:98.137.64.0/20, country:US]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[98.137.65.32:from] X-Rspamd-Queue-Id: 4Q5plv6Q1Rz4Rxs X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N FWD to record the solution in the history of the maillist. Exactly what is required, for the exact mentioned purpose of a terminal screenlocker application: https://github.com/mezantrop/sclocka. Thank you again! Best, M On 4/25/2023 9:20 PM, Jesper Schmitz Mouridsen wrote: > Hi > > Yes for pam_unix.so root is always required. > > The following gives some background info and might help you > > https://github.com/Zirias/unix-selfauth-helper > > ported in security/unix-selfauth-helper > > On 25.04.2023 20.50, Mikhail Zakharov wrote: >> Wow! Thanks Jesper, it really works as root! >> >> But, I'd like to avoid running as root. The goal is to re-check the >> user's password to ensure, this is still the same user working on. I >> looked through https://docs.freebsd.org/en/articles/pam/ and >> unfortunately didn't see anything appropriate except pam_unix. So, am >> I doomed to SUID? >> >> Best, >> >> M >> >> On 4/25/2023 8:12 PM, Jesper Schmitz Mouridsen wrote: >>> Hi >>> >>> If I am not mistaken pam_unix.so requires root so try to run your >>> program as root. >>> >>> On 25.04.2023 20.05, Mikhail Zakharov wrote: >>>> No, just a common user, id 1001 >>>> >>>> On 4/25/2023 8:01 PM, Jesper Schmitz Mouridsen wrote: >>>>> >>>>> >>>>> On 25.04.2023 19.26, Mikhail Zakharov wrote: >>>>>> Hi, >>>>>> >>>>>> I'm trying to write a custom PAM conversation function and >>>>>> perform authentication (re-check password) for my already logged >>>>>> in user. Below is the function: >>>>>> >>>>>> int pam_conv(int n, const struct pam_message **msg, struct >>>>>> pam_response **resp,  void *data) { >>>>>> >>>>>>      struct pam_response *pr; >>>>>>      int i; >>>>>> >>>>>> >>>>>>      if (n <= 0 || n > PAM_MAX_NUM_MSG) return PAM_CONV_ERR; >>>>>>      if ((pr = calloc(n, sizeof(*pr))) == NULL) return PAM_BUF_ERR; >>>>>> >>>>>>      for (i = 0; i < n; i++) { >>>>>>          pr[i].resp = NULL; >>>>>>          pr[i].resp_retcode = 0; >>>>>>          switch (msg[i]->msg_style) { >>>>>>              case PAM_PROMPT_ECHO_OFF: >>>>>>              case PAM_PROMPT_ECHO_ON: >>>>>>                  pr[i].resp = strdup(passwd); >>>>>>                  break; >>>>>>              case PAM_ERROR_MSG:             /* Do we need this? */ >>>>>>              case PAM_TEXT_INFO: >>>>>>                  fprintf(stderr, "\n\r%s\n", msg[i]->msg); >>>>>>                  break; >>>>>>              default: >>>>>>                  /* Clear possible passwords in responces; then >>>>>> free memory */ >>>>>>                      for (i = 0; i < n; i++) >>>>>>                          if (pr[i].resp) { >>>>>>                              memset(pr[i].resp, 0, >>>>>> strlen(pr[i].resp)); >>>>>>                              free(pr[i].resp); >>>>>>                          } >>>>>>                  free(pr); >>>>>>                  *resp = NULL; >>>>>>                  return PAM_CONV_ERR; >>>>>>          } >>>>>>      } >>>>>>      *resp = pr; >>>>>>      return PAM_SUCCESS; >>>>>> } >>>>>> >>>>>> And that's how I call it: >>>>>> >>>>>> int pam_auth(char *user) { >>>>>>      static pam_handle_t *pamh; >>>>>>      static struct pam_conv pamc; >>>>>>      int rval; >>>>>>      char *tty_name; >>>>>> >>>>>> >>>>>>      pamc.conv = &pam_conv; >>>>>>      /* Pretend we want login service */ >>>>>>      rval = pam_start("login", user, &pamc, &pamh); >>>>>>      tty_name = ttyname(STDIN_FILENO); >>>>>>      if (rval == PAM_SUCCESS) rval = pam_set_item(pamh, PAM_TTY, >>>>>> tty_name); >>>>>>      if (rval == PAM_SUCCESS) rval = pam_authenticate(pamh, 0); >>>>>>      if (pam_end(pamh, rval) != PAM_SUCCESS) pamh = NULL; >>>>>> >>>>>>      return rval == PAM_SUCCESS ? 0 : 1; >>>>>> } >>>>>> >>>>>> Well, PAM login, allows to login as the same user without >>>>>> checking a password: >>>>>> >>>>>> # auth >>>>>> auth            sufficient      pam_self.so no_warn >>>>>> auth            include         system >>>>>> >>>>>> When trying other services e.g. "system", "ssh", "other" >>>>>> pam_authenticate() return Authentication error, PAM error 9. >>>>>> >>>>>> What do I do wrong? Surprisingly, I do not see the same issue on >>>>>> Mac and Centos. >>>>>> >>>>>> Best, Mikhail Zakharov >>>>>> >>>>>> >>>>> Hi >>>>> Do you run it as root? >>>>> >>>>>