diff options
| author | Jake Chen <jakechentw@gmail.com> | 2020-06-17 15:25:39 +0800 |
|---|---|---|
| committer | Jan Pazdziora <jpazdziora@redhat.com> | 2020-07-08 23:20:09 +0200 |
| commit | 622996a9a7d462cdb51cd2a2c5ecd3b00bb48b85 (patch) | |
| tree | 14499fa48bc1ec4a0a2cc19eb71901240c8e1cb3 | |
| parent | a9b23ffac32c9ac3b4fac1f60658d3b08b0c93e3 (diff) | |
| download | mod_authnz_pam-622996a9a7d462cdb51cd2a2c5ecd3b00bb48b85.tar.gz mod_authnz_pam-622996a9a7d462cdb51cd2a2c5ecd3b00bb48b85.tar.xz mod_authnz_pam-622996a9a7d462cdb51cd2a2c5ecd3b00bb48b85.zip | |
Store password to cache only after passing all PAM checks, including account.
| -rw-r--r-- | mod_authnz_pam.c | 10 | ||||
| -rwxr-xr-x | tests/run.sh | 5 |
2 files changed, 10 insertions, 5 deletions
diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c index e16d408..7b4bb7a 100644 --- a/mod_authnz_pam.c +++ b/mod_authnz_pam.c @@ -197,11 +197,6 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const param = login; stage = "PAM authentication failed for user"; ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); -#if AP_MODULE_MAGIC_AT_LEAST(20100625,0) - if (ret == PAM_SUCCESS) { - store_password_to_cache(r, login, password); - } -#endif } if ((ret == PAM_SUCCESS) && (steps & _PAM_STEP_ACCOUNT)) { param = login; @@ -232,6 +227,11 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const r->user = apr_pstrdup(r->pool, login); ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, SHOW_MODULE "PAM authentication passed for user %s", login); pam_end(pamh, ret); +#if AP_MODULE_MAGIC_AT_LEAST(20100625,0) + if (steps & _PAM_STEP_AUTH) { + store_password_to_cache(r, login, password); + } +#endif return AUTH_GRANTED; } diff --git a/tests/run.sh b/tests/run.sh index 5a2e291..4fcc98e 100755 --- a/tests/run.sh +++ b/tests/run.sh @@ -33,9 +33,14 @@ curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee / if rpm -ql httpd | grep mod_authn_socache ; then echo "Testing AuthBasicProvider socache PAM + AuthnCacheProvideFor PAM" + rm /etc/pam-account/bob curl -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401 echo Secret > /etc/pam-auth/bob + curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401 + # rerun the same request, verify that passing auth did not store password into cache + curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn-cached | tee /dev/stderr | grep 401 + touch /etc/pam-account/bob curl -u bob:Secret -s http://localhost/authn-cached | tee /dev/stderr | grep 'User bob' echo Secret2 > /etc/pam-auth/bob curl -u bob:Secret -s -D /dev/stdout -o /dev/null http://localhost/authn | tee /dev/stderr | grep 401 |