diff options
author | ehaupt <ehaupt@FreeBSD.org> | 2006-12-24 04:28:25 +0800 |
---|---|---|
committer | ehaupt <ehaupt@FreeBSD.org> | 2006-12-24 04:28:25 +0800 |
commit | ab159d74f2908c7495751059efaefb83134f285c (patch) | |
tree | 0550b55dde90e1a28d8d61310d7bfa8742cc2a5b /security/pam_bsdbioapi/files | |
parent | fd2233be38f7e2011220d3b13cd56b27fa50b6f9 (diff) | |
download | freebsd-ports-graphics-ab159d74f2908c7495751059efaefb83134f285c.tar.gz freebsd-ports-graphics-ab159d74f2908c7495751059efaefb83134f285c.tar.zst freebsd-ports-graphics-ab159d74f2908c7495751059efaefb83134f285c.zip |
The pam_bsdbioapi(8) module always prompts for finger swiping before
failing and proceeding to the next module, even when the user has not
enrolled yet.
This patchset adds a command line option to skip this behaviour.
NOTE: This patch will go into the next upstream release.
PR: 106564
Submitted by: Eugene M. Kim <freebsd.org@ab.ote.we.lv>
Approved by: Fredrik Lindberg <fli@shapeshifter.se> (maintainer)
Diffstat (limited to 'security/pam_bsdbioapi/files')
-rw-r--r-- | security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.8 | 23 | ||||
-rw-r--r-- | security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c | 51 |
2 files changed, 74 insertions, 0 deletions
diff --git a/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.8 b/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.8 new file mode 100644 index 00000000000..0e7d99d87b3 --- /dev/null +++ b/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.8 @@ -0,0 +1,23 @@ +--- src/pam_bsdbioapi/pam_bsdbioapi.8 Thu Feb 23 06:15:13 2006 ++++ src/pam_bsdbioapi/pam_bsdbioapi.8.orig Sun Dec 10 06:36:31 2006 +@@ -36,6 +36,7 @@ + .Ar pam_bsdbioapi + .Ar bsp-uuid + .Ar backend ++.Op -s + .Op -f birdb-path + .Op -m message-file + .Sh DESCRIPTION +@@ -69,6 +70,12 @@ + This option is required. + .Pp + .Bl -tag -width ".Fl m Ar message-file" ++.It Fl s ++Fail without prompting the user to swipe finger if the user has not enrolled ++yet. ++This is useful if only a handful of users has enrolled, but leaks whether the ++given user has enrolled, to whomever tries to authenticate as the user (e.g. ++an attacker outside). + .It Fl f Ar birdb-path + Specify an alternative path to the birdb.conf file for backend configuration. + The default is /usr/local/etc/birdb.conf diff --git a/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c b/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c new file mode 100644 index 00000000000..9e125ce4eaf --- /dev/null +++ b/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c @@ -0,0 +1,51 @@ +--- src/pam_bsdbioapi/pam_bsdbioapi.c Thu Feb 23 06:15:13 2006 ++++ src/pam_bsdbioapi/pam_bsdbioapi.c.orig Sun Dec 10 06:26:57 2006 +@@ -215,7 +215,7 @@ + int argc, const char *argv[]) + { + const char *user, *bsp_id, *dbid, *conf, *msgfile; +- int error, pam_retval = PAM_AUTH_ERR; ++ int error, pam_retval = PAM_AUTH_ERR, skip_unenrolled; + BioAPI_HANDLE *handle; + struct birdb_rec keyrec, **recs; + struct birdb_mod *bm; +@@ -241,9 +241,10 @@ + + conf = DEFCONFPATH; + msgfile = NULL; ++ skip_unenrolled = 0; + + optind = 2; +- while ((opt = getopt(argc, (char **)argv, "m:f:")) != -1) { ++ while ((opt = getopt(argc, (char **)argv, "m:f:s")) != -1) { + switch (opt) { + case 'm': + msgfile = argv[optind - 1]; +@@ -253,6 +254,9 @@ + conf = argv[optind - 1]; + PAM_LOG("Got birdb configuration file: %s", conf); + break; ++ case 's': ++ skip_unenrolled = 1; ++ break; + } + } + +@@ -271,7 +275,6 @@ + PAM_LOG("Got user: %s", user); + + setuid(euid); +- pam_info(pamh, "Initiating biometric authentication..."); + + error = bioapi_init(); + if (error) +@@ -312,7 +315,8 @@ + + keyrec.br_key = (char *)user; + recs = birdb_backend_get(bm, bmh, &keyrec); +- if (recs != NULL) { ++ if (recs != NULL && (!skip_unenrolled || recs[0] != NULL)) { ++ pam_info(pamh, "Initiating biometric authentication..."); + handle = bioapi_attach_bsp(bsp_id); + if (handle == NULL) { + PAM_VERBOSE_ERROR("Failed to attach the selected BSP"); |