[Bug 194604] [libpam] [patch] pam_unix doesn't allow validation of own password

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194604

--- Comment #8 from Conrad Meyer <conrad.meyer at isilon.com> ---
(In reply to Dag-Erling Smørgrav from comment #7)
> If you feel like writing your own version and are comfortable releasing it
> under the three-clause BSD license, I may include it in OpenPAM.

Sure. The helper source file in the attached patch is 2-clause BSD; 3-clause is
fine. (The attached patch also has one manual page derived from Linux-PAM,
which is 3-clause BSD.)

> It won't
> be available in FreeBSD until 10.2 at the earliest, more likely 11, but we
> can easily make a port to install it on systems that don't have it in base.

CURRENT is what I care about, that is fine.

> BTW, this

My initial patch, kcheckpass, or something else you're proposing?

> is vastly more flexible than the Linux-PAM solution, as the latter
> will only work for users with traditional password hashes available through
> NSS, not for users who authenticate through Kerberos, RADIUS or some other
> remote method.

If we're talking about the attached patch, it only modifies pam_unix and only
checks for passwords available through getpwnam(3). My read of that man page
was that it was only for local hashes.

And of course, if a pam_unix is disabled in a PAM configuration, it won't be
run at all which may be surprising if it is expected to check remote passwords.

I'm happy to rework this in another way! Just let me know how you would like it
to look and function, or anything I can do to help.

Thanks.

-- 
You are receiving this mail because:
You are the assignee for the bug.