[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

in.rexecd AND pam_securetty



RedHat 4.2 / Intel

When trying to run xterm from remote PC with XWin32 (StarNet) emulator
via rexec, connection is not established an XWin32 message says:
"connection closed". After some research I have found following:
rexec by default undergoes pam_securetty authentication. This module
exits with error (failure), if tty can not be determined. Thus, no user
(if he/she is root or not) will pass the pam_securetty authentication
in case of rexec, when no tty seems to be set.

I suggest to change pam_securetty.so so that 'no tty' condition
is not taking into account if user is not root. Very simple patch
for pam_securetty.c from PAM-0.56 follows. Comments are welcome.
Thank you.

Jiri Polach


--- pam_securetty.c.orig        Tue Jul 22 18:07:34 1997
+++ pam_securetty.c     Tue Jul 22 17:53:27 1997
@@ -90,23 +90,24 @@
     struct passwd *user_pwd;
     FILE *ttyfile;
     int ctrl;
+    int tty_unknown = 0;
 
     /* parse the arguments */
     ctrl = _pam_parse(argc, argv);
 
+    /* get user name */
     retval = pam_get_item(pamh,PAM_USER,(const void **)&username);
-    if (retval == PAM_SUCCESS)
-       retval = pam_get_item(pamh,PAM_TTY,(const void **)&uttyname);
-    if (retval != PAM_SUCCESS || uttyname == NULL) {
-       /* If we couldn't get the username or the tty return error */
+    if (retval != PAM_SUCCESS) {
         if (ctrl & PAM_DEBUG_ARG)
-            _pam_log(LOG_WARNING, "can not determine tty I'm running on
!");
+            _pam_log(LOG_WARNING, 
+                     "can not determine username for this service! !");
        return PAM_SERVICE_ERR;
     }
 
-    /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
-    if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
-       uttyname += sizeof(TTY_PREFIX)-1;
+    /* get tty; if not specified, store the information until */
+    /* username is known                                      */
+    retval = pam_get_item(pamh,PAM_TTY,(const void **)&uttyname);
+    if (retval != PAM_SUCCESS || uttyname == NULL) tty_unknown = 1;
 
     /* If we didn't get a username, get one */
     if(!username || (strlen(username) <= 0)) {
@@ -127,6 +128,17 @@
     else if (user_pwd->pw_uid != 0) /* If the user is not root,
                                       securetty's does not apply to
them */
        return PAM_SUCCESS;
+
+    /* Now we know that user is root */
+    if (tty_unknown) {
+        if (ctrl & PAM_DEBUG_ARG)
+            _pam_log(LOG_WARNING, "can not determine tty I'm running on
!");
+        return PAM_SERVICE_ERR;
+    }
+
+    /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
+    if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
+       uttyname += sizeof(TTY_PREFIX)-1;
 
     if(stat(SECURETTY_FILE,&ttyfileinfo)) {
        _pam_log(LOG_NOTICE,



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []