fdo-mirrors/fprintd
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/libfprint/fprintd.git synced 2025-12-23 17:50:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

pam: Don't ask for fingerprints for remote logins

Browse source 
As written in the "Linux-PAM Application Developers' Guide"
at http://www.linux-pam.org/Linux-PAM-html/adg-security-user-identity.html:
"
As a general rule, the following convention for its value can be
assumed: NULL = unknown; localhost = invoked directly from the
local system; other.place.xyz = some component of the user's
connection originates from this remote/requesting host.
"

So also exit early if the hostname isn't localhost as it should be.

Closes: #21
This commit is contained in:
Bastien Nocera 2019-08-07 15:33:51 +02:00 committed by Benjamin Berg
parent d6c4e8ba64
commit 3274a31153
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pam/pam_fprintd.c
View file

@ -476,7 +476,13 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
G_TYPE_NONE, G_TYPE_STRING, G_TYPE_BOOLEAN, G_TYPE_INVALID); G_TYPE_NONE, G_TYPE_STRING, G_TYPE_BOOLEAN, G_TYPE_INVALID);
pam_get_item(pamh, PAM_RHOST, (const void **)(const void*) &rhost); pam_get_item(pamh, PAM_RHOST, (const void **)(const void*) &rhost);
if (rhost != NULL && strlen(rhost) > 0) {
if (rhost == NULL || *rhost == '\0') {
/* unavailable host information */
return PAM_AUTHINFO_UNAVAIL;
}
if (strcmp (rhost, "localhost") != 0) {
/* remote login (e.g. over SSH) */ /* remote login (e.g. over SSH) */
return PAM_AUTHINFO_UNAVAIL; return PAM_AUTHINFO_UNAVAIL;
} }