Control: tags 807990 + pending Dear maintainer,
I've prepared an NMU for oath-toolkit (versioned as 2.6.1-1.4) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards.
diff -Nru oath-toolkit-2.6.1/debian/changelog oath-toolkit-2.6.1/debian/changelog --- oath-toolkit-2.6.1/debian/changelog 2019-02-09 10:39:41.000000000 -0500 +++ oath-toolkit-2.6.1/debian/changelog 2016-08-20 09:51:41.000000000 -0400 @@ -1,3 +1,11 @@ +oath-toolkit (2.6.1-1.4) unstable; urgency=medium + + * Non-maintainer upload. + * patch: fail gracefully for missing users (Closes: #807990) + * push to salsa + + -- Antoine Beaupré <anar...@debian.org> Sat, 20 Aug 2016 09:51:41 -0400 + oath-toolkit (2.6.1-1.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru oath-toolkit-2.6.1/debian/control oath-toolkit-2.6.1/debian/control --- oath-toolkit-2.6.1/debian/control 2018-06-22 13:48:52.000000000 -0400 +++ oath-toolkit-2.6.1/debian/control 2016-08-20 09:51:41.000000000 -0400 @@ -6,8 +6,8 @@ Build-Depends: cdbs, debhelper (>= 7.0.0), libpam0g-dev, datefudge, gtk-doc-tools, dblatex, libxml2-utils, libxmlsec1-dev, dh-autoreconf Standards-Version: 3.9.6 Homepage: http://www.nongnu.org/oath-toolkit/ -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/oath-toolkit.git -Vcs-Git: git://anonscm.debian.org/collab-maint/oath-toolkit.git +Vcs-Browser: https://salsa.debian.org/debian/oath-toolkit +Vcs-Git: https://salsa.debian.org/debian/oath-toolkit.git Package: liboath-dev Section: libdevel diff -Nru oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch --- oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch 1969-12-31 19:00:00.000000000 -0500 +++ oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch 2016-08-20 09:51:41.000000000 -0400 @@ -0,0 +1,83 @@ +From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org> +Date: Mon, 1 Aug 2016 12:25:10 -0400 +Subject: [PATCH] fail gracefully for missing users + +when the pam module is enabled, it forces *all* users to immediately +start using OATH, or they can't login at all. + +a more progressive approach would seem more reasonable to me, +especially since each user need to get an admin user to update the +central file for them. + +this patch adds an early check to the users file and makes sure the +user exists before prompting for a password. + +if the user is missing, it exits early with a standard error code +(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration +(as shown in the README file). this leaves the policy decision up to +the admin (and defaults to "fail closed"). + +if the user is present, the code path remains the same except the +usersfile is scanned twice, which may be a performance penalty on very +slow filesystems or very large files. the only workaround I can think +of for this would be to load the whole file into memory, but this +could have significant memory impact on large files. + +the function used (`oath_authenticate_usersfile`) is a little overkill +as it actually goes and tries to authenticate the user with an empty +password. this is harmless because the file isn't updated if the OTP +is incorrect and because no warning is sent to syslog. + +a possible improvement on this would be to have a warning shown to the +user inciting them to configure OATH or to warn them about a possible +typo in their username before they enter their regular passphrase +--- + pam_oath/README | 2 +- + pam_oath/pam_oath.c | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/pam_oath/README b/pam_oath/README +index bef4265..24b9f8b 100644 +--- a/pam_oath/README ++++ b/pam_oath/README +@@ -23,7 +23,7 @@ window open before making any changes! + + --------- + # head -1 /etc/pam.d/su +-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20 ++auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20 + # + --------- + +diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c +index 2820318..25a3452 100644 +--- a/pam_oath/pam_oath.c ++++ b/pam_oath/pam_oath.c +@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh, + } + DBG (("get user returned: %s", user)); + ++ // quick check to skip unconfigured users before prompting for password ++ { ++ time_t last_otp; ++ otp[0] = '\0'; ++ rc = oath_authenticate_usersfile (cfg.usersfile, ++ user, ++ otp, cfg.window, onlypasswd, &last_otp); ++ ++ DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc, ++ oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN", ++ oath_strerror (rc), ctime (&last_otp))); ++ if (rc == OATH_UNKNOWN_USER) ++ { ++ return PAM_USER_UNKNOWN; ++ } ++ } ++ + if (cfg.try_first_pass || cfg.use_first_pass) + { + retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password); +-- +2.1.4 + diff -Nru oath-toolkit-2.6.1/debian/patches/series oath-toolkit-2.6.1/debian/patches/series --- oath-toolkit-2.6.1/debian/patches/series 2019-02-09 10:39:41.000000000 -0500 +++ oath-toolkit-2.6.1/debian/patches/series 2016-08-20 09:51:41.000000000 -0400 @@ -1,2 +1,3 @@ gtkdocize.patch new-glibc-check.patch +0001-fail-gracefully-for-missing-users.patch
signature.asc
Description: PGP signature
