Commit 3274a311 authored by Bastien Nocera's avatar Bastien Nocera Committed by Benjamin Berg

pam: Don't ask for fingerprints for remote logins

As written in the "Linux-PAM Application Developers' Guide"
at http://www.linux-pam.org/Linux-PAM-html/adg-security-user-identity.html:
"
As a general rule, the following convention for its value can be
assumed: NULL = unknown; localhost = invoked directly from the
local system; other.place.xyz = some component of the user's
connection originates from this remote/requesting host.
"

So also exit early if the hostname isn't localhost as it should be.

Closes: #21
parent d6c4e8ba
Pipeline #54438 passed with stage
in 4 minutes and 6 seconds
......@@ -476,7 +476,13 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
G_TYPE_NONE, G_TYPE_STRING, G_TYPE_BOOLEAN, G_TYPE_INVALID);
pam_get_item(pamh, PAM_RHOST, (const void **)(const void*) &rhost);
if (rhost != NULL && strlen(rhost) > 0) {
if (rhost == NULL || *rhost == '\0') {
/* unavailable host information */
return PAM_AUTHINFO_UNAVAIL;
}
if (strcmp (rhost, "localhost") != 0) {
/* remote login (e.g. over SSH) */
return PAM_AUTHINFO_UNAVAIL;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment