pam_lastlog

Arthur Mesh amesh at juniper.net
Wed Jul 23 19:15:46 UTC 2014 

Greetings,

At Juniper Networks, we have a concept of "template" system users, where
actual users of the system are defined on remote authentication servers
such as Radius or Tacacs+. These users are mapped to a single locally
defined user (called template user). Such mapping makes it easier for
sysadmins to manage large amount of deployed systems, etc using readily
available RADIUS/TACACS+ deployments.

Most of the glue to make this 1:N mapping work is done via various
changes to various PAM modules. While reading some existing PAM modules
used by FreeBSD, we came across pam_lastlog.so (session management
module responsible for updating accounting database (utmpx)) that does
something curious.

Prior to doing its thing, pam_lastlog always ensures that the username in
question exists in the password database. Given that session management
happens only after authentication (pam_authenticate(3)) has succeeded
and account has been validated (pam_acct_mgmt(3)), this seems like a
layering violation. Thoughts?

Here is a proposed change where that adds a knob to disable this lookup:

Index: lib/libpam/modules/pam_lastlog/pam_lastlog.8
===================================================================
--- lib/libpam/modules/pam_lastlog/pam_lastlog.8	(revision 282460)
+++ lib/libpam/modules/pam_lastlog/pam_lastlog.8	(working copy)
@@ -81,6 +81,8 @@
 suppress warning messages to the user.
 .It Cm no_fail
 Ignore I/O failures.
+.It Cm no_user_lookup
+Skip looking up user account.
 .El
 .Sh SEE ALSO
 .Xr last 1 ,
Index: lib/libpam/modules/pam_lastlog/pam_lastlog.c
===================================================================
--- lib/libpam/modules/pam_lastlog/pam_lastlog.c	(revision 282460)
+++ lib/libpam/modules/pam_lastlog/pam_lastlog.c	(working copy)
@@ -68,7 +68,6 @@
 pam_sm_open_session(pam_handle_t *pamh, int flags,
     int argc __unused, const char *argv[] __unused)
 {
-	struct passwd *pwd;
 	struct utmpx *utx, utl;
 	time_t t;
 	const char *user;
@@ -79,8 +78,11 @@
 	pam_err = pam_get_user(pamh, &user, NULL);
 	if (pam_err != PAM_SUCCESS)
 		return (pam_err);
-	if (user == NULL || (pwd = getpwnam(user)) == NULL)
+	if (user == NULL)
 		return (PAM_SERVICE_ERR);
+	if (openpam_get_option(pamh, "no_user_lookup") == NULL &&
+	    getpwnam(user) == NULL)
+		return (PAM_SERVICE_ERR);
 	PAM_LOG("Got user: %s", user);
 
 	pam_err = pam_get_item(pamh, PAM_RHOST, &rhost);


-- 
Arthur Mesh <amesh at juniper.net>
Juniper Networks
+1 408 936-4968
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20140723/e1a59af1/attachment.sig>

More information about the freebsd-arch mailing list