i changed the patch a little because it turns out that my pam.d sample config wasn't actually working as expected - the user_unknown=ignore block needs to *replace* the "required" keyword, and not simply be appended in the end.
here's a new patch that changes the README slightly.
>From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org> Date: Mon, 1 Aug 2016 12:25:10 -0400 Subject: [PATCH] fail gracefully for missing users when the pam module is enabled, it forces *all* users to immediately start using OATH, or they can't login at all. a more progressive approach would seem more reasonable to me, especially since each user need to get an admin user to update the central file for them. this patch adds an early check to the users file and makes sure the user exists before prompting for a password. if the user is missing, it exits early with a standard error code (PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration (as shown in the README file). this leaves the policy decision up to the admin (and defaults to "fail closed"). if the user is present, the code path remains the same except the usersfile is scanned twice, which may be a performance penalty on very slow filesystems or very large files. the only workaround I can think of for this would be to load the whole file into memory, but this could have significant memory impact on large files. the function used (`oath_authenticate_usersfile`) is a little overkill as it actually goes and tries to authenticate the user with an empty password. this is harmless because the file isn't updated if the OTP is incorrect and because no warning is sent to syslog. a possible improvement on this would be to have a warning shown to the user inciting them to configure OATH or to warn them about a possible typo in their username before they enter their regular passphrase --- pam_oath/README | 2 +- pam_oath/pam_oath.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/pam_oath/README b/pam_oath/README index bef4265..24b9f8b 100644 --- a/pam_oath/README +++ b/pam_oath/README @@ -23,7 +23,7 @@ window open before making any changes! --------- # head -1 /etc/pam.d/su -auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20 +auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20 # --------- diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c index 2820318..25a3452 100644 --- a/pam_oath/pam_oath.c +++ b/pam_oath/pam_oath.c @@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh, } DBG (("get user returned: %s", user)); + // quick check to skip unconfigured users before prompting for password + { + time_t last_otp; + otp[0] = '\0'; + rc = oath_authenticate_usersfile (cfg.usersfile, + user, + otp, cfg.window, onlypasswd, &last_otp); + + DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc, + oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN", + oath_strerror (rc), ctime (&last_otp))); + if (rc == OATH_UNKNOWN_USER) + { + return PAM_USER_UNKNOWN; + } + } + if (cfg.try_first_pass || cfg.use_first_pass) { retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password); -- 2.1.4
i would like to do a NMU for this to deploy this change, any objections? a. -- I prefer the tumult of liberty to the quiet of servitude. - Thomas Jefferson