aboutsummaryrefslogtreecommitdiffstats
path: root/security/pam_bsdbioapi/files
diff options
context:
space:
mode:
authorehaupt <ehaupt@FreeBSD.org>2006-12-24 04:28:25 +0800
committerehaupt <ehaupt@FreeBSD.org>2006-12-24 04:28:25 +0800
commitab159d74f2908c7495751059efaefb83134f285c (patch)
tree0550b55dde90e1a28d8d61310d7bfa8742cc2a5b /security/pam_bsdbioapi/files
parentfd2233be38f7e2011220d3b13cd56b27fa50b6f9 (diff)
downloadfreebsd-ports-graphics-ab159d74f2908c7495751059efaefb83134f285c.tar.gz
freebsd-ports-graphics-ab159d74f2908c7495751059efaefb83134f285c.tar.zst
freebsd-ports-graphics-ab159d74f2908c7495751059efaefb83134f285c.zip
The pam_bsdbioapi(8) module always prompts for finger swiping before
failing and proceeding to the next module, even when the user has not enrolled yet. This patchset adds a command line option to skip this behaviour. NOTE: This patch will go into the next upstream release. PR: 106564 Submitted by: Eugene M. Kim <freebsd.org@ab.ote.we.lv> Approved by: Fredrik Lindberg <fli@shapeshifter.se> (maintainer)
Diffstat (limited to 'security/pam_bsdbioapi/files')
-rw-r--r--security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.823
-rw-r--r--security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c51
2 files changed, 74 insertions, 0 deletions
diff --git a/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.8 b/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.8
new file mode 100644
index 00000000000..0e7d99d87b3
--- /dev/null
+++ b/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.8
@@ -0,0 +1,23 @@
+--- src/pam_bsdbioapi/pam_bsdbioapi.8 Thu Feb 23 06:15:13 2006
++++ src/pam_bsdbioapi/pam_bsdbioapi.8.orig Sun Dec 10 06:36:31 2006
+@@ -36,6 +36,7 @@
+ .Ar pam_bsdbioapi
+ .Ar bsp-uuid
+ .Ar backend
++.Op -s
+ .Op -f birdb-path
+ .Op -m message-file
+ .Sh DESCRIPTION
+@@ -69,6 +70,12 @@
+ This option is required.
+ .Pp
+ .Bl -tag -width ".Fl m Ar message-file"
++.It Fl s
++Fail without prompting the user to swipe finger if the user has not enrolled
++yet.
++This is useful if only a handful of users has enrolled, but leaks whether the
++given user has enrolled, to whomever tries to authenticate as the user (e.g.
++an attacker outside).
+ .It Fl f Ar birdb-path
+ Specify an alternative path to the birdb.conf file for backend configuration.
+ The default is /usr/local/etc/birdb.conf
diff --git a/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c b/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c
new file mode 100644
index 00000000000..9e125ce4eaf
--- /dev/null
+++ b/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c
@@ -0,0 +1,51 @@
+--- src/pam_bsdbioapi/pam_bsdbioapi.c Thu Feb 23 06:15:13 2006
++++ src/pam_bsdbioapi/pam_bsdbioapi.c.orig Sun Dec 10 06:26:57 2006
+@@ -215,7 +215,7 @@
+ int argc, const char *argv[])
+ {
+ const char *user, *bsp_id, *dbid, *conf, *msgfile;
+- int error, pam_retval = PAM_AUTH_ERR;
++ int error, pam_retval = PAM_AUTH_ERR, skip_unenrolled;
+ BioAPI_HANDLE *handle;
+ struct birdb_rec keyrec, **recs;
+ struct birdb_mod *bm;
+@@ -241,9 +241,10 @@
+
+ conf = DEFCONFPATH;
+ msgfile = NULL;
++ skip_unenrolled = 0;
+
+ optind = 2;
+- while ((opt = getopt(argc, (char **)argv, "m:f:")) != -1) {
++ while ((opt = getopt(argc, (char **)argv, "m:f:s")) != -1) {
+ switch (opt) {
+ case 'm':
+ msgfile = argv[optind - 1];
+@@ -253,6 +254,9 @@
+ conf = argv[optind - 1];
+ PAM_LOG("Got birdb configuration file: %s", conf);
+ break;
++ case 's':
++ skip_unenrolled = 1;
++ break;
+ }
+ }
+
+@@ -271,7 +275,6 @@
+ PAM_LOG("Got user: %s", user);
+
+ setuid(euid);
+- pam_info(pamh, "Initiating biometric authentication...");
+
+ error = bioapi_init();
+ if (error)
+@@ -312,7 +315,8 @@
+
+ keyrec.br_key = (char *)user;
+ recs = birdb_backend_get(bm, bmh, &keyrec);
+- if (recs != NULL) {
++ if (recs != NULL && (!skip_unenrolled || recs[0] != NULL)) {
++ pam_info(pamh, "Initiating biometric authentication...");
+ handle = bioapi_attach_bsp(bsp_id);
+ if (handle == NULL) {
+ PAM_VERBOSE_ERROR("Failed to attach the selected BSP");