pam: Don't ask for fingerprints for remote logins

As written in the "Linux-PAM Application Developers' Guide" at http://www.linux-pam.org/Linux-PAM-html/adg-security-user-identity.html: " As a general rule, the following convention for its value can be assumed: NULL = unknown; localhost = invoked directly from the local system; other.place.xyz = some component of the user's connection originates from this remote/requesting host. " So also exit early if the hostname isn't localhost as it should be. Closes: #21
2025-12-23 14:20:10 +01:00 · 2019-08-07 15:33:51 +02:00 · 2019-08-07 15:33:51 +02:00 · 3274a31153
commit 3274a31153
parent d6c4e8ba64
1 changed files with 7 additions and 1 deletions
--- a/pam/pam_fprintd.c
+++ b/pam/pam_fprintd.c
@ -476,7 +476,13 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 					   G_TYPE_NONE, G_TYPE_STRING, G_TYPE_BOOLEAN, G_TYPE_INVALID);

 	pam_get_item(pamh, PAM_RHOST, (const void **)(const void*) &rhost);
-	if (rhost != NULL && strlen(rhost) > 0) {
+
+	if (rhost == NULL || *rhost == '\0') {
+		/* unavailable host information */
+		return PAM_AUTHINFO_UNAVAIL;
+	}
+
+	if (strcmp (rhost, "localhost") != 0) {
 		/* remote login (e.g. over SSH) */
 		return PAM_AUTHINFO_UNAVAIL;
 	}