Re: dtlogin

From: Per Lejontand (pele@acc.umu.se)
Date: 01/02/02


Date: Wed, 2 Jan 2002 19:31:26 +0100
From: Per Lejontand <pele@acc.umu.se>
To: Charles Clancy <security@xauth.net>

On Mon, Dec 31, 2001 at 04:33:55PM -0600, Charles Clancy wrote:

> > To make it clear what i want to do:
> > Allow normal+nis users login via ssh (telnet/ftp whatever)
> > Disallow nis users on dtlogin (allow local users)
>
> Attached is a simple PAM module (perhaps PA module would be less
> redundant), to what you want. It only lets people in /etc/passwd log in.
> Compile, install, and add the following to /etc/pam.conf:
>
> dtlogin auth required /usr/lib/security/pam_local.so
>
> I'm sure people could suggest lots of improvements, but it works.

--<snipp>--

> pam_get_user(pamh, &user, NULL);
> h=fopen("/etc/passwd","r+");
>
> while (!feof(h)) {
> fgets(line,200,h);
> if (strncmp(user,line,strlen(user))==0) \
> return PAM_SUCCESS;
> }

I hope you arent using this anywhere. Any user with his name starting
the same way as a local user can get in by using this authentification.
You only compare up to the same amount of chars that exist in the
username you must compare up to and including the separator, ':' in this
case (or simply first compare the length of the username with the offset
of the first colon within the string).
For example if the user in question is named "bo" and there is another
user "boomfunk" which is a local user "bo" will be allowed to log on.

-- 
//Per
.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,..,.,.,.,.,.
 Per Lejontand, Student of Computer science, SysAdm@{acc,cs}.umu.se
 Phone: +46-(0)70-5858486
 ***We just joined the civil hair patrol!