fix pam authorization (#19040) (#19047)

Backport #19040 

The PAM module has previously only checked the results of the authentication module.

However, in normal PAM practice most users will expect account module authorization to also be checked. Without doing this check in almost every configuration expired accounts and accounts with expired passwords will still be able to login.

This is likely to represent a significant gotcha in most configurations and cause most users configurations to be potentially insecure. Therefore we should add in the account authorization check.

## ⚠️ **BREAKING** ⚠️ 

Users of the PAM module who rely on account modules not being checked will need to change their PAM configuration.

However, as it is likely that the vast majority of users of PAM will be expecting account authorization to be checked in addition to authentication we should make this breaking change to make the default behaviour correct for the majority.

---

I suggest we backport this despite the BREAKING nature because of the surprising nature of this.

Thanks to @ysf for bringing this to our attention.


Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: ysf <34326+ysf@users.noreply.github.com>
This commit is contained in:
6543 2022-03-10 09:15:35 +01:00 committed by GitHub
parent 4047c5c068
commit 3e5c844a77
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -36,6 +36,10 @@ func Auth(serviceName, userName, passwd string) (string, error) {
return "", err return "", err
} }
if err = t.AcctMgmt(0); err != nil {
return "", err
}
// PAM login names might suffer transformations in the PAM stack. // PAM login names might suffer transformations in the PAM stack.
// We should take whatever the PAM stack returns for it. // We should take whatever the PAM stack returns for it.
return t.GetItem(pam.User) return t.GetItem(pam.User)