Bug#807990: fail gracefully for missing users: redid the patch

Sun, 21 Aug 2016 05:28:11 -0700 

On 2016-08-19 22:10:36, Antoine Beaupré wrote:
> i would like to do a NMU for this to deploy this change, any objections?

Here's the debdiff of the package I would upload:


diff -Nru oath-toolkit-2.6.1/debian/changelog oath-toolkit-2.6.1/debian/changelog
--- oath-toolkit-2.6.1/debian/changelog	2015-07-31 17:10:44.000000000 -0400
+++ oath-toolkit-2.6.1/debian/changelog	2016-08-20 09:53:10.000000000 -0400
@@ -1,3 +1,10 @@
+oath-toolkit (2.6.1-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * patch: fail gracefully for missing users (Closes: #807990)
+
+ -- Antoine Beaupré <anar...@debian.org>  Sat, 20 Aug 2016 09:51:41 -0400
+
 oath-toolkit (2.6.1-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch
--- oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	1969-12-31 19:00:00.000000000 -0500
+++ oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	2016-08-20 09:53:10.000000000 -0400
@@ -0,0 +1,83 @@
+From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org>
+Date: Mon, 1 Aug 2016 12:25:10 -0400
+Subject: [PATCH] fail gracefully for missing users
+
+when the pam module is enabled, it forces *all* users to immediately
+start using OATH, or they can't login at all.
+
+a more progressive approach would seem more reasonable to me,
+especially since each user need to get an admin user to update the
+central file for them.
+
+this patch adds an early check to the users file and makes sure the
+user exists before prompting for a password.
+
+if the user is missing, it exits early with a standard error code
+(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration
+(as shown in the README file). this leaves the policy decision up to
+the admin (and defaults to "fail closed").
+
+if the user is present, the code path remains the same except the
+usersfile is scanned twice, which may be a performance penalty on very
+slow filesystems or very large files. the only workaround I can think
+of for this would be to load the whole file into memory, but this
+could have significant memory impact on large files.
+
+the function used (`oath_authenticate_usersfile`) is a little overkill
+as it actually goes and tries to authenticate the user with an empty
+password. this is harmless because the file isn't updated if the OTP
+is incorrect and because no warning is sent to syslog.
+
+a possible improvement on this would be to have a warning shown to the
+user inciting them to configure OATH or to warn them about a possible
+typo in their username before they enter their regular passphrase
+---
+ pam_oath/README     |  2 +-
+ pam_oath/pam_oath.c | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/pam_oath/README b/pam_oath/README
+index bef4265..24b9f8b 100644
+--- a/pam_oath/README
++++ b/pam_oath/README
+@@ -23,7 +23,7 @@ window open before making any changes!
+ 
+ ---------
+ # head -1 /etc/pam.d/su
+-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
++auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20
+ #
+ ---------
+ 
+diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
+index 2820318..25a3452 100644
+--- a/pam_oath/pam_oath.c
++++ b/pam_oath/pam_oath.c
+@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
+     }
+   DBG (("get user returned: %s", user));
+ 
++  // quick check to skip unconfigured users before prompting for password
++  {
++    time_t last_otp;
++    otp[0] = '\0';
++    rc = oath_authenticate_usersfile (cfg.usersfile,
++                                      user,
++                                      otp, cfg.window, onlypasswd, &last_otp);
++
++    DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
++          oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
++          oath_strerror (rc), ctime (&last_otp)));
++    if (rc == OATH_UNKNOWN_USER)
++      {
++        return PAM_USER_UNKNOWN;
++      }
++  }
++
+   if (cfg.try_first_pass || cfg.use_first_pass)
+     {
+       retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
+-- 
+2.1.4
+
diff -Nru oath-toolkit-2.6.1/debian/patches/series oath-toolkit-2.6.1/debian/patches/series
--- oath-toolkit-2.6.1/debian/patches/series	1969-12-31 19:00:00.000000000 -0500
+++ oath-toolkit-2.6.1/debian/patches/series	2016-08-20 09:53:10.000000000 -0400
@@ -0,0 +1 @@
+0001-fail-gracefully-for-missing-users.patch

thanks

-- 
To be naive and easily deceived is impermissible, today more than
ever, when the prevailing untruths may lead to a catastrophe because
they blind people to real dangers and real possibilities.
                        - Erich Fromm

Reply via email to