From MAILER-DAEMON Fri Mar 13 20:33:12 2020 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jCujo-0004YI-3d for mharc-oath-toolkit-help@gnu.org; Fri, 13 Mar 2020 20:33:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41817) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jCujl-0004Y6-L6 for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 20:33:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jCujk-0007gK-LO for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 20:33:09 -0400 Received: from buxtehude.debian.org ([2607:f8f0:614:1::1274:39]:34054) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jCujk-0007ck-GC for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 20:33:08 -0400 Received: from debbugs by buxtehude.debian.org with local (Exim 4.92) (envelope-from ) id 1jCujf-0003rU-Fo; Sat, 14 Mar 2020 00:33:03 +0000 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: "Debian Bug Tracking System" To: anarcat CC: oath-toolkit-help@nongnu.org Subject: Processed: oath-toolkit: diff for NMU version 2.6.1-1.4 Message-ID: References: <20200314002938.GA3256@angela.anarc.at> <20151215050257.27899.34615.reportbug@marcos.anarc.at> X-Debian-PR-Package: libpam-oath X-Debian-PR-Source: oath-toolkit X-Debian-PR-Message: transcript X-Loop: owner@bugs.debian.org Date: Sat, 14 Mar 2020 00:33:03 +0000 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8f0:614:1::1274:39 X-BeenThere: oath-toolkit-help@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: OATH Toolkit general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2020 00:33:10 -0000 Processing control commands: > tags 807990 + pending Bug #807990 [libpam-oath] allow users absent from users.oath to login Added tag(s) pending. --=20 807990: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D807990 Debian Bug Tracking System Contact owner@bugs.debian.org with problems From MAILER-DAEMON Fri Mar 13 20:33:13 2020 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jCujp-0004YY-9F for mharc-oath-toolkit-help@gnu.org; Fri, 13 Mar 2020 20:33:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41835) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jCujm-0004Y7-5D for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 20:33:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jCujk-0007gY-O2 for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 20:33:10 -0400 Received: from buxtehude.debian.org ([2607:f8f0:614:1::1274:39]:34052) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jCujk-0007cj-HJ for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 20:33:08 -0400 Received: from debbugs by buxtehude.debian.org with local (Exim 4.92) (envelope-from ) id 1jCuje-0003rK-PA; Sat, 14 Mar 2020 00:33:02 +0000 X-Loop: owner@bugs.debian.org Subject: Bug#807990: oath-toolkit: diff for NMU version 2.6.1-1.4 Reply-To: anarcat , 807990@bugs.debian.org Resent-From: anarcat Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: OATH Toolkit Team X-Loop: owner@bugs.debian.org Resent-Date: Sat, 14 Mar 2020 00:33:01 +0000 Resent-Message-ID: X-Debian-PR-Message: followup 807990 X-Debian-PR-Package: libpam-oath X-Debian-PR-Keywords: patch References: <20151215050257.27899.34615.reportbug@marcos.anarc.at> X-Debian-PR-Source: oath-toolkit Received: via spool by 807990-submit@bugs.debian.org id=B807990.158414578314040 (code B ref 807990); Sat, 14 Mar 2020 00:33:01 +0000 Received: (at 807990) by bugs.debian.org; 14 Mar 2020 00:29:43 +0000 Received: from marcos.anarc.at ([206.248.172.91]:57538) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jCugQ-0003e4-3l for 807990@bugs.debian.org; Sat, 14 Mar 2020 00:29:43 +0000 Received: by marcos.anarc.at (Postfix, from userid 1000) id A97A310E0BC; Fri, 13 Mar 2020 20:29:38 -0400 (EDT) Received: (nullmailer pid 3391 invoked by uid 1000); Sat, 14 Mar 2020 00:29:38 -0000 Date: Fri, 13 Mar 2020 20:29:38 -0400 From: anarcat To: 807990@bugs.debian.org Message-ID: <20200314002938.GA3256@angela.anarc.at> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="s2ZSL+KKDSLx8OML" Content-Disposition: inline X-NMUDIFF-Version: 2.19.5+deb10u1 User-Agent: Mutt/1.10.1 (2018-07-13) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8f0:614:1::1274:39 X-BeenThere: oath-toolkit-help@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: OATH Toolkit general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2020 00:33:11 -0000 --s2ZSL+KKDSLx8OML Content-Type: multipart/mixed; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Control: tags 807990 + pending Dear maintainer, I've prepared an NMU for oath-toolkit (versioned as 2.6.1-1.4) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards. --X1bOJ3K7DJ5YkBrT Content-Type: text/x-diff; charset=iso-8859-1 Content-Disposition: attachment; filename="oath-toolkit-2.6.1-1.4-nmu.diff" Content-Transfer-Encoding: quoted-printable diff -Nru oath-toolkit-2.6.1/debian/changelog oath-toolkit-2.6.1/debian/cha= ngelog --- oath-toolkit-2.6.1/debian/changelog 2019-02-09 10:39:41.000000000 -0500 +++ oath-toolkit-2.6.1/debian/changelog 2016-08-20 09:51:41.000000000 -0400 @@ -1,3 +1,11 @@ +oath-toolkit (2.6.1-1.4) unstable; urgency=3Dmedium + + * Non-maintainer upload. + * patch: fail gracefully for missing users (Closes: #807990) + * push to salsa + + -- Antoine Beaupr=E9 Sat, 20 Aug 2016 09:51:41 -0400 + oath-toolkit (2.6.1-1.3) unstable; urgency=3Dmedium =20 * Non-maintainer upload. diff -Nru oath-toolkit-2.6.1/debian/control oath-toolkit-2.6.1/debian/contr= ol --- oath-toolkit-2.6.1/debian/control 2018-06-22 13:48:52.000000000 -0400 +++ oath-toolkit-2.6.1/debian/control 2016-08-20 09:51:41.000000000 -0400 @@ -6,8 +6,8 @@ Build-Depends: cdbs, debhelper (>=3D 7.0.0), libpam0g-dev, datefudge, gtk-= doc-tools, dblatex, libxml2-utils, libxmlsec1-dev, dh-autoreconf Standards-Version: 3.9.6 Homepage: http://www.nongnu.org/oath-toolkit/ -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=3Dcollab-maint/oath-toolk= it.git -Vcs-Git: git://anonscm.debian.org/collab-maint/oath-toolkit.git +Vcs-Browser: https://salsa.debian.org/debian/oath-toolkit +Vcs-Git: https://salsa.debian.org/debian/oath-toolkit.git =20 Package: liboath-dev Section: libdevel diff -Nru oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missin= g-users.patch oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-mi= ssing-users.patch --- oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-user= s.patch 1969-12-31 19:00:00.000000000 -0500 +++ oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-user= s.patch 2016-08-20 09:51:41.000000000 -0400 @@ -0,0 +1,83 @@ +From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001 +From: =3D?UTF-8?q?Antoine=3D20Beaupr=3DC3=3DA9?=3D +Date: Mon, 1 Aug 2016 12:25:10 -0400 +Subject: [PATCH] fail gracefully for missing users + +when the pam module is enabled, it forces *all* users to immediately +start using OATH, or they can't login at all. + +a more progressive approach would seem more reasonable to me, +especially since each user need to get an admin user to update the +central file for them. + +this patch adds an early check to the users file and makes sure the +user exists before prompting for a password. + +if the user is missing, it exits early with a standard error code +(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration +(as shown in the README file). this leaves the policy decision up to +the admin (and defaults to "fail closed"). + +if the user is present, the code path remains the same except the +usersfile is scanned twice, which may be a performance penalty on very +slow filesystems or very large files. the only workaround I can think +of for this would be to load the whole file into memory, but this +could have significant memory impact on large files. + +the function used (`oath_authenticate_usersfile`) is a little overkill +as it actually goes and tries to authenticate the user with an empty +password. this is harmless because the file isn't updated if the OTP +is incorrect and because no warning is sent to syslog. + +a possible improvement on this would be to have a warning shown to the +user inciting them to configure OATH or to warn them about a possible +typo in their username before they enter their regular passphrase +--- + pam_oath/README | 2 +- + pam_oath/pam_oath.c | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/pam_oath/README b/pam_oath/README +index bef4265..24b9f8b 100644 +--- a/pam_oath/README ++++ b/pam_oath/README +@@ -23,7 +23,7 @@ window open before making any changes! +=20 + --------- + # head -1 /etc/pam.d/su +-auth requisite pam_oath.so debug usersfile=3D/etc/users.oath window=3D20 ++auth [user_unknown=3Dignore success=3Dok] pam_oath.so debug usersfile=3D/= etc/users.oath window=3D20 + # + --------- +=20 +diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c +index 2820318..25a3452 100644 +--- a/pam_oath/pam_oath.c ++++ b/pam_oath/pam_oath.c +@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh, + } + DBG (("get user returned: %s", user)); +=20 ++ // quick check to skip unconfigured users before prompting for password ++ { ++ time_t last_otp; ++ otp[0] =3D '\0'; ++ rc =3D oath_authenticate_usersfile (cfg.usersfile, ++ user, ++ otp, cfg.window, onlypasswd, &last_= otp); ++ ++ DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc, ++ oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN", ++ oath_strerror (rc), ctime (&last_otp))); ++ if (rc =3D=3D OATH_UNKNOWN_USER) ++ { ++ return PAM_USER_UNKNOWN; ++ } ++ } ++ + if (cfg.try_first_pass || cfg.use_first_pass) + { + retval =3D pam_get_item (pamh, PAM_AUTHTOK, (const void **) &passwo= rd); +--=20 +2.1.4 + diff -Nru oath-toolkit-2.6.1/debian/patches/series oath-toolkit-2.6.1/debia= n/patches/series --- oath-toolkit-2.6.1/debian/patches/series 2019-02-09 10:39:41.000000000 = -0500 +++ oath-toolkit-2.6.1/debian/patches/series 2016-08-20 09:51:41.000000000 = -0400 @@ -1,2 +1,3 @@ gtkdocize.patch new-glibc-check.patch +0001-fail-gracefully-for-missing-users.patch --X1bOJ3K7DJ5YkBrT-- --s2ZSL+KKDSLx8OML Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAl5sJXEACgkQPqHd3bJh 2XuH6wf/TLX+ygsDmM3o9p1pYvmjAPdreFvVZ2YBd0bULnq2m5wtTV/w3RevmzmO 1u4dBnLKjOusedEQDEIe9IPvFfZtCuZ2AJWrrAnvsi4FI/XYai4ynOsjfL3zBUia Ia9CxgnP7y5dv7+QW8AF+k0IIHQNJTlvFE7P5+f5H6v5/MyvfPxRGBtOVFio0blD iUEmIsaa8cUONanCfuXcqGvKXFhDkMluzoqO4KGMW2wMt4PQe2Aov0jCqhXvd+H9 CIyFJF6wTKq4Pq0J9y9SfRu1WJjMDbhu+fY0DG1Sq7cHXT5OH5RhLUW8vXq8aUoh MZAiI8mqu1GzTx8+MSMQOm+nThXJPw== =XqBU -----END PGP SIGNATURE----- --s2ZSL+KKDSLx8OML-- From MAILER-DAEMON Fri Mar 13 20:39:25 2020 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jCupp-0005sj-D3 for mharc-oath-toolkit-help@gnu.org; Fri, 13 Mar 2020 20:39:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45011) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jCupm-0005sZ-Ga for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 20:39:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jCupl-0001zh-Jf for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 20:39:22 -0400 Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:35862) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jCupl-0001vM-F8 for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 20:39:21 -0400 Received: from usper.debian.org ([2603:400a:ffff:bb8::801f:45]:40578) from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=usper.debian.org, EMAIL=hostmaster@usper.debian.org (verified) by muffat.debian.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jCupg-0002x9-34 for oath-toolkit-help@nongnu.org; Sat, 14 Mar 2020 00:39:16 +0000 Received: from dak-unpriv by usper.debian.org with local (Exim 4.92) (envelope-from ) id 1jCupf-0006IX-0h for oath-toolkit-help@nongnu.org; Sat, 14 Mar 2020 00:39:15 +0000 To: oath-toolkit-help@nongnu.org From: Debian FTP Masters Subject: Processing of oath-toolkit_2.6.1-1.4_source.changes Date: Sat, 14 Mar 2020 00:39:14 +0000 X-Debian: DAK X-DAK: DAK Precedence: bulk Auto-Submitted: auto-generated X-Debian-Package: oath-toolkit Message-Id: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8f0:614:1::1274:33 X-BeenThere: oath-toolkit-help@nongnu.org X-Mailman-Version: 2.1.23 List-Id: OATH Toolkit general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2020 00:39:23 -0000 oath-toolkit_2.6.1-1.4_source.changes uploaded successfully to localhost along with the files: oath-toolkit_2.6.1-1.4.dsc oath-toolkit_2.6.1-1.4.debian.tar.xz oath-toolkit_2.6.1-1.4_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) From MAILER-DAEMON Fri Mar 13 21:48:10 2020 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jCvuL-0007FY-Ti for mharc-oath-toolkit-help@gnu.org; Fri, 13 Mar 2020 21:48:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54306) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jCvuI-0007FQ-Vf for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 21:48:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jCvuH-0007Cm-GS for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 21:48:06 -0400 Received: from buxtehude.debian.org ([2607:f8f0:614:1::1274:39]:34516) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jCvuH-0007Av-AE for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 21:48:05 -0400 Received: from debbugs by buxtehude.debian.org with local (Exim 4.92) (envelope-from ) id 1jCvuF-0002Fo-1y; Sat, 14 Mar 2020 01:48:03 +0000 X-Loop: owner@bugs.debian.org Subject: Bug#807990: oath-toolkit: diff for NMU version 2.6.1-1.4 Reply-To: anarcat , 807990@bugs.debian.org Resent-From: anarcat Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: OATH Toolkit Team X-Loop: owner@bugs.debian.org Resent-Date: Sat, 14 Mar 2020 01:48:02 +0000 Resent-Message-ID: X-Debian-PR-Message: followup 807990 X-Debian-PR-Package: libpam-oath X-Debian-PR-Keywords: pending patch References: <20151215050257.27899.34615.reportbug@marcos.anarc.at> X-Debian-PR-Source: oath-toolkit Received: via spool by 807990-submit@bugs.debian.org id=B807990.15841502937805 (code B ref 807990); Sat, 14 Mar 2020 01:48:02 +0000 Received: (at 807990) by bugs.debian.org; 14 Mar 2020 01:44:53 +0000 Received: from marcos.anarc.at ([206.248.172.91]:37708) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jCvr9-00021G-Um for 807990@bugs.debian.org; Sat, 14 Mar 2020 01:44:53 +0000 Received: by marcos.anarc.at (Postfix, from userid 1000) id C47CB10E0BC; Fri, 13 Mar 2020 21:44:48 -0400 (EDT) Received: (nullmailer pid 25650 invoked by uid 1000); Sat, 14 Mar 2020 01:44:48 -0000 Date: Fri, 13 Mar 2020 21:44:48 -0400 From: anarcat To: 807990@bugs.debian.org Message-ID: <20200314014448.GA24325@angela.anarc.at> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="IiVenqGWf+H9Y6IX" Content-Disposition: inline X-NMUDIFF-Version: 2.19.5+deb10u1 User-Agent: Mutt/1.10.1 (2018-07-13) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8f0:614:1::1274:39 X-BeenThere: oath-toolkit-help@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: OATH Toolkit general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2020 01:48:08 -0000 --IiVenqGWf+H9Y6IX Content-Type: multipart/mixed; boundary="zhXaljGHf11kAtnf" Content-Disposition: inline --zhXaljGHf11kAtnf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [this is a resend: the prevous version had the wrong date in debian/changelog] Dear maintainer, I've prepared an NMU for oath-toolkit (versioned as 2.6.1-1.4) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards. --=20 --zhXaljGHf11kAtnf Content-Type: text/x-diff; charset=iso-8859-1 Content-Disposition: attachment; filename="oath-toolkit-2.6.1-1.4-nmu.diff" Content-Transfer-Encoding: quoted-printable diff -Nru oath-toolkit-2.6.1/debian/changelog oath-toolkit-2.6.1/debian/cha= ngelog --- oath-toolkit-2.6.1/debian/changelog 2019-02-09 10:39:41.000000000 -0500 +++ oath-toolkit-2.6.1/debian/changelog 2016-08-20 09:51:41.000000000 -0400 @@ -1,3 +1,11 @@ +oath-toolkit (2.6.1-1.4) unstable; urgency=3Dmedium + + * Non-maintainer upload. + * patch: fail gracefully for missing users (Closes: #807990) + * push to salsa + + -- Antoine Beaupr=E9 Sat, 20 Aug 2016 09:51:41 -0400 + oath-toolkit (2.6.1-1.3) unstable; urgency=3Dmedium =20 * Non-maintainer upload. diff -Nru oath-toolkit-2.6.1/debian/control oath-toolkit-2.6.1/debian/contr= ol --- oath-toolkit-2.6.1/debian/control 2018-06-22 13:48:52.000000000 -0400 +++ oath-toolkit-2.6.1/debian/control 2016-08-20 09:51:41.000000000 -0400 @@ -6,8 +6,8 @@ Build-Depends: cdbs, debhelper (>=3D 7.0.0), libpam0g-dev, datefudge, gtk-= doc-tools, dblatex, libxml2-utils, libxmlsec1-dev, dh-autoreconf Standards-Version: 3.9.6 Homepage: http://www.nongnu.org/oath-toolkit/ -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=3Dcollab-maint/oath-toolk= it.git -Vcs-Git: git://anonscm.debian.org/collab-maint/oath-toolkit.git +Vcs-Browser: https://salsa.debian.org/debian/oath-toolkit +Vcs-Git: https://salsa.debian.org/debian/oath-toolkit.git =20 Package: liboath-dev Section: libdevel diff -Nru oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missin= g-users.patch oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-mi= ssing-users.patch --- oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-user= s.patch 1969-12-31 19:00:00.000000000 -0500 +++ oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-user= s.patch 2016-08-20 09:51:41.000000000 -0400 @@ -0,0 +1,83 @@ +From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001 +From: =3D?UTF-8?q?Antoine=3D20Beaupr=3DC3=3DA9?=3D +Date: Mon, 1 Aug 2016 12:25:10 -0400 +Subject: [PATCH] fail gracefully for missing users + +when the pam module is enabled, it forces *all* users to immediately +start using OATH, or they can't login at all. + +a more progressive approach would seem more reasonable to me, +especially since each user need to get an admin user to update the +central file for them. + +this patch adds an early check to the users file and makes sure the +user exists before prompting for a password. + +if the user is missing, it exits early with a standard error code +(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration +(as shown in the README file). this leaves the policy decision up to +the admin (and defaults to "fail closed"). + +if the user is present, the code path remains the same except the +usersfile is scanned twice, which may be a performance penalty on very +slow filesystems or very large files. the only workaround I can think +of for this would be to load the whole file into memory, but this +could have significant memory impact on large files. + +the function used (`oath_authenticate_usersfile`) is a little overkill +as it actually goes and tries to authenticate the user with an empty +password. this is harmless because the file isn't updated if the OTP +is incorrect and because no warning is sent to syslog. + +a possible improvement on this would be to have a warning shown to the +user inciting them to configure OATH or to warn them about a possible +typo in their username before they enter their regular passphrase +--- + pam_oath/README | 2 +- + pam_oath/pam_oath.c | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/pam_oath/README b/pam_oath/README +index bef4265..24b9f8b 100644 +--- a/pam_oath/README ++++ b/pam_oath/README +@@ -23,7 +23,7 @@ window open before making any changes! +=20 + --------- + # head -1 /etc/pam.d/su +-auth requisite pam_oath.so debug usersfile=3D/etc/users.oath window=3D20 ++auth [user_unknown=3Dignore success=3Dok] pam_oath.so debug usersfile=3D/= etc/users.oath window=3D20 + # + --------- +=20 +diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c +index 2820318..25a3452 100644 +--- a/pam_oath/pam_oath.c ++++ b/pam_oath/pam_oath.c +@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh, + } + DBG (("get user returned: %s", user)); +=20 ++ // quick check to skip unconfigured users before prompting for password ++ { ++ time_t last_otp; ++ otp[0] =3D '\0'; ++ rc =3D oath_authenticate_usersfile (cfg.usersfile, ++ user, ++ otp, cfg.window, onlypasswd, &last_= otp); ++ ++ DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc, ++ oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN", ++ oath_strerror (rc), ctime (&last_otp))); ++ if (rc =3D=3D OATH_UNKNOWN_USER) ++ { ++ return PAM_USER_UNKNOWN; ++ } ++ } ++ + if (cfg.try_first_pass || cfg.use_first_pass) + { + retval =3D pam_get_item (pamh, PAM_AUTHTOK, (const void **) &passwo= rd); +--=20 +2.1.4 + diff -Nru oath-toolkit-2.6.1/debian/patches/series oath-toolkit-2.6.1/debia= n/patches/series --- oath-toolkit-2.6.1/debian/patches/series 2019-02-09 10:39:41.000000000 = -0500 +++ oath-toolkit-2.6.1/debian/patches/series 2016-08-20 09:51:41.000000000 = -0400 @@ -1,2 +1,3 @@ gtkdocize.patch new-glibc-check.patch +0001-fail-gracefully-for-missing-users.patch --zhXaljGHf11kAtnf-- --IiVenqGWf+H9Y6IX Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAl5sNw8ACgkQPqHd3bJh 2XumOAgAmNBwQyaJ4dJTIVZsboaGeMQegAFcyIo9EI+EDhrUnRDfCTZUACScAxqR 3+sKqjN1aHp724bXQeJI+K4xu/BmjSSOt+06zlIB8APY8v8ddWNTWgQgCQLRIyFh ofk/n1ouQ1ml72cbiJjfwxkD9koksvtvCBu0SuxnxKAAy30O9kCZFS/Imwg+0Waw hmHjeTkCahh0MALahZTPTROA4Em/mpexiJm81MPdgM64qxK4ZKP7dJ131oHq+XlJ aBbPIzmr+N/O2ykiLAyrKsRKJOrc/OhE1SvHtX+is92giOdRFkE4b+/WkjtFo1Ou hoJ3EhTArBu2zkwz/PjK+F9rgTwvlg== =QdA9 -----END PGP SIGNATURE----- --IiVenqGWf+H9Y6IX-- From MAILER-DAEMON Fri Mar 13 21:50:31 2020 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jCvwd-0008NX-Ma for mharc-oath-toolkit-help@gnu.org; Fri, 13 Mar 2020 21:50:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55549) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jCvwb-0008Jb-3b for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 21:50:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jCvwa-00061l-6I for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 21:50:28 -0400 Received: from mailly.debian.org ([2001:41b8:202:deb:6564:a62:52c3:4b72]:58014) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jCvwa-0005qe-0z for oath-toolkit-help@nongnu.org; Fri, 13 Mar 2020 21:50:28 -0400 Received: from usper.debian.org ([2603:400a:ffff:bb8::801f:45]:40154) from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=usper.debian.org, EMAIL=hostmaster@usper.debian.org (verified) by mailly.debian.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jCvwW-0008Ts-Nv for oath-toolkit-help@nongnu.org; Sat, 14 Mar 2020 01:50:24 +0000 Received: from dak-unpriv by usper.debian.org with local (Exim 4.92) (envelope-from ) id 1jCvwV-0001ZZ-S5 for oath-toolkit-help@nongnu.org; Sat, 14 Mar 2020 01:50:23 +0000 To: oath-toolkit-help@nongnu.org From: Debian FTP Masters Subject: Processing of oath-toolkit_2.6.1-1.4_source.changes Date: Sat, 14 Mar 2020 01:50:23 +0000 X-Debian: DAK X-DAK: DAK Precedence: bulk Auto-Submitted: auto-generated X-Debian-Package: oath-toolkit Message-Id: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:41b8:202:deb:6564:a62:52c3:4b72 X-BeenThere: oath-toolkit-help@nongnu.org X-Mailman-Version: 2.1.23 List-Id: OATH Toolkit general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2020 01:50:30 -0000 oath-toolkit_2.6.1-1.4_source.changes uploaded successfully to localhost along with the files: oath-toolkit_2.6.1-1.4.dsc oath-toolkit_2.6.1-1.4.debian.tar.xz oath-toolkit_2.6.1-1.4_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) From MAILER-DAEMON Mon Mar 23 22:58:23 2020 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jGZln-0007oE-E1 for mharc-oath-toolkit-help@gnu.org; Mon, 23 Mar 2020 22:58:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47396) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jGZlk-0007o4-DV for oath-toolkit-help@nongnu.org; Mon, 23 Mar 2020 22:58:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jGZlj-0004mn-4g for oath-toolkit-help@nongnu.org; Mon, 23 Mar 2020 22:58:20 -0400 Received: from mailly.debian.org ([2001:41b8:202:deb:6564:a62:52c3:4b72]:56802) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jGZli-0004bF-V3 for oath-toolkit-help@nongnu.org; Mon, 23 Mar 2020 22:58:19 -0400 Received: from fasolo.debian.org ([138.16.160.17]:40828) from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by mailly.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jGZld-0004mn-H2; Tue, 24 Mar 2020 02:58:13 +0000 Received: from dak by fasolo.debian.org with local (Exim 4.89) (envelope-from ) id 1jGZlc-000CAF-CL; Tue, 24 Mar 2020 02:58:12 +0000 From: Debian FTP Masters To: =?utf-8?q?Antoine_Beaupr=C3=A9?= , OATH Toolkit Team X-DAK: dak process-upload X-Debian: DAK X-Debian-Package: oath-toolkit Precedence: bulk Auto-Submitted: auto-generated MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Subject: oath-toolkit_2.6.1-1.4_source.changes ACCEPTED into unstable Message-Id: Date: Tue, 24 Mar 2020 02:58:12 +0000 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:41b8:202:deb:6564:a62:52c3:4b72 X-BeenThere: oath-toolkit-help@nongnu.org X-Mailman-Version: 2.1.23 List-Id: OATH Toolkit general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2020 02:58:21 -0000 Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 13 Mar 2020 20:30:26 -0400 Source: oath-toolkit Architecture: source Version: 2.6.1-1.4 Distribution: unstable Urgency: medium Maintainer: OATH Toolkit Team Changed-By: Antoine Beaupré Closes: 807990 Changes: oath-toolkit (2.6.1-1.4) unstable; urgency=medium . * Non-maintainer upload. * patch: fail gracefully for missing users (Closes: #807990) * push to salsa Checksums-Sha1: 1882f71449d75aafc472fb4a52295a7d72b82bde 1893 oath-toolkit_2.6.1-1.4.dsc 07c2e676de609666a0bb324c7f279965ec66c12c 21796 oath-toolkit_2.6.1-1.4.debian.tar.xz d70b6514f4dbcd021fca19d7be726869cf25b135 10664 oath-toolkit_2.6.1-1.4_amd64.buildinfo Checksums-Sha256: 163f17747428d4169d8657ef81b526bc0802d3555e2d110ab91569f017e02479 1893 oath-toolkit_2.6.1-1.4.dsc 212d1f10fb2ca849295c1a2c0f449ead9da9169f74ad2fc52979c4bf4b7eb0b7 21796 oath-toolkit_2.6.1-1.4.debian.tar.xz 5ddd1b0097ddccb8714ae544add772ef8652ab77a0735b35f6469fece25cc14a 10664 oath-toolkit_2.6.1-1.4_amd64.buildinfo Files: a9a1aa53b16472c0fd74001da6ed966e 1893 devel optional oath-toolkit_2.6.1-1.4.dsc 939bd854393fb40ab2c97a3a71b01de4 21796 devel optional oath-toolkit_2.6.1-1.4.debian.tar.xz a7dde57fb1f1b2de0017abedb26597b4 10664 devel optional oath-toolkit_2.6.1-1.4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAl5sNuMACgkQPqHd3bJh 2XtnZwf+PlwQTAmawVy8aLzApqunp0Z3Zkg0q0/zLs4XgHEiHS8cv/4XFHWywlmg 0cMZBHbzVUfBn8nN9V9P0KG+0JHYt5x8EeMtift/oSfpcDFCRqUBFFwAT8/Emcb8 3mWygpSPCuEphOgw3UPzW8WO65X6/kEbfnxweCJpMuLU6riEhKRhYQ6fd303N2Lm yrLLgoKF4rIBmW6WFrNRIBigRSxo0lUFCFrutyH48Ddu5lDLjqXCWVWxaU3YxMBd hBUKIjKJyE5iMVDBXB6ihGg0cSLMXGeGvA7tUzYqt5WfnH0V+u3N8QUxI7VF78ej fjRJudPZM5xqj9l+F30Behd8zDuugQ== =GamI -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From MAILER-DAEMON Mon Mar 23 23:00:14 2020 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jGZnZ-0000Cs-SD for mharc-oath-toolkit-help@gnu.org; Mon, 23 Mar 2020 23:00:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47715) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jGZnW-0000An-Ir for oath-toolkit-help@nongnu.org; Mon, 23 Mar 2020 23:00:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jGZnU-0001a5-Tv for oath-toolkit-help@nongnu.org; Mon, 23 Mar 2020 23:00:10 -0400 Received: from buxtehude.debian.org ([2607:f8f0:614:1::1274:39]:34998) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jGZnU-0001Ps-Jw for oath-toolkit-help@nongnu.org; Mon, 23 Mar 2020 23:00:08 -0400 Received: from debbugs by buxtehude.debian.org with local (Exim 4.92) (envelope-from ) id 1jGZnP-0007gV-0X; Tue, 24 Mar 2020 03:00:03 +0000 MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) X-Loop: owner@bugs.debian.org From: "Debian Bug Tracking System" To: Antoine =?UTF-8?Q?Beaupr=C3=A9?= Subject: Bug#807990: marked as done (allow users absent from users.oath to login) Message-ID: References: <20151215050257.27899.34615.reportbug@marcos.anarc.at> X-Debian-PR-Message: closed 807990 X-Debian-PR-Package: libpam-oath X-Debian-PR-Keywords: patch X-Debian-PR-Source: oath-toolkit Reply-To: 807990@bugs.debian.org Date: Tue, 24 Mar 2020 03:00:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1585018802-29517-0" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8f0:614:1::1274:39 X-BeenThere: oath-toolkit-help@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: OATH Toolkit general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2020 03:00:12 -0000 This is a multi-part message in MIME format... ------------=_1585018802-29517-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your message dated Tue, 24 Mar 2020 02:58:12 +0000 with message-id and subject line Bug#807990: fixed in oath-toolkit 2.6.1-1.4 has caused the Debian Bug report #807990, regarding allow users absent from users.oath to login to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) --=20 807990: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D807990 Debian Bug Tracking System Contact owner@bugs.debian.org with problems ------------=_1585018802-29517-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.debian.org; 15 Dec 2015 05:03:03 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.0-bugs.debian.org_2005_01_02 (2014-02-07) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-13.9 required=4.0 tests=BAYES_00,FOURLA, FROMDEVELOPER,HAS_PACKAGE,XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=3.4.0-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 10; hammy, 150; neutral, 36; spammy, 0. spammytokens: hammytokens:0.000-+--systemd, 0.000-+--H*x:6.6.3, 0.000-+--H*UA:6.6.3, 0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug Return-path: Received: from marcos.anarc.at ([206.248.172.91]) by buxtehude.debian.org with esmtp (Exim 4.84) (envelope-from ) id 1a8hlP-0008FL-3a for submit@bugs.debian.org; Tue, 15 Dec 2015 05:03:03 +0000 Received: by marcos.anarc.at (Postfix, from userid 1000) id 9029A1A008D; Tue, 15 Dec 2015 00:02:57 -0500 (EST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: =?utf-8?q?Antoine_Beaupr=C3=A9?= To: Debian Bug Tracking System Subject: allow users absent from users.oath to login Message-ID: <20151215050257.27899.34615.reportbug@marcos.anarc.at> X-Mailer: reportbug 6.6.3 Date: Tue, 15 Dec 2015 00:02:57 -0500 Delivered-To: submit@bugs.debian.org Package: libpam-oath Version: 2.4.1-1 Severity: wishlist Since only root can (and should) update /etc/users.oath, it's pretty inconvenient to deploy pam-oath in any environment, as it automatically kicks out any user using password authentication. It would be good if there was an option in the pam module that would allow authentication to succeed if the user is *not* present in the users file. Thanks! -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (500, 'stable'), (1, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-oath depends on: ii libc6 2.19-18+deb8u1 ii liboath0 2.4.1-1 ii libpam-runtime 1.1.8-3.1 ii libpam0g 1.1.8-3.1 libpam-oath recommends no packages. libpam-oath suggests no packages. -- no debconf information ------------=_1585018802-29517-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 807990-close) by bugs.debian.org; 24 Mar 2020 02:58:13 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2-bugs.debian.org_2005_01_02 (2018-09-13) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-19.4 required=4.0 tests=BAYES_00,DIGITS_LETTERS, FOURLA,FVGT_m_MULTI_ODD,HAS_BUG_NUMBER,MD5_SHA1_SUM,MURPHY_DRUGS_REL8, PGPSIGNATURE,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.2-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 69; hammy, 150; neutral, 126; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--HX-DAK:process-upload, 0.000-+--Hx-spam-relays-external:sk:envelop, 0.000-+--H*r:138.16.160 Return-path: Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:49836) from C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=muffat.debian.org,EMAIL=hostmaster@muffat.debian.org (verified) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jGZld-0007QD-ST for 807990-close@bugs.debian.org; Tue, 24 Mar 2020 02:58:13 +0000 Received: from fasolo.debian.org ([138.16.160.17]:38756) from C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=fasolo.debian.org,EMAIL=hostmaster@fasolo.debian.org (verified) by muffat.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jGZld-0001Bu-HS; Tue, 24 Mar 2020 02:58:13 +0000 Received: from dak by fasolo.debian.org with local (Exim 4.89) (envelope-from ) id 1jGZlc-000CAN-Fx; Tue, 24 Mar 2020 02:58:12 +0000 From: Debian FTP Masters Reply-To: =?utf-8?q?Antoine_Beaupr=C3=A9?= To: 807990-close@bugs.debian.org X-DAK: dak process-upload X-Debian: DAK X-Debian-Package: oath-toolkit MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Subject: Bug#807990: fixed in oath-toolkit 2.6.1-1.4 Message-Id: Date: Tue, 24 Mar 2020 02:58:12 +0000 Source: oath-toolkit Source-Version: 2.6.1-1.4 Done: =?utf-8?q?Antoine_Beaupr=C3=A9?= We believe that the bug you reported is fixed in the latest version of oath-toolkit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 807990@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antoine Beaupré (supplier of updated oath-toolkit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 13 Mar 2020 20:30:26 -0400 Source: oath-toolkit Architecture: source Version: 2.6.1-1.4 Distribution: unstable Urgency: medium Maintainer: OATH Toolkit Team Changed-By: Antoine Beaupré Closes: 807990 Changes: oath-toolkit (2.6.1-1.4) unstable; urgency=medium . * Non-maintainer upload. * patch: fail gracefully for missing users (Closes: #807990) * push to salsa Checksums-Sha1: 1882f71449d75aafc472fb4a52295a7d72b82bde 1893 oath-toolkit_2.6.1-1.4.dsc 07c2e676de609666a0bb324c7f279965ec66c12c 21796 oath-toolkit_2.6.1-1.4.debian.tar.xz d70b6514f4dbcd021fca19d7be726869cf25b135 10664 oath-toolkit_2.6.1-1.4_amd64.buildinfo Checksums-Sha256: 163f17747428d4169d8657ef81b526bc0802d3555e2d110ab91569f017e02479 1893 oath-toolkit_2.6.1-1.4.dsc 212d1f10fb2ca849295c1a2c0f449ead9da9169f74ad2fc52979c4bf4b7eb0b7 21796 oath-toolkit_2.6.1-1.4.debian.tar.xz 5ddd1b0097ddccb8714ae544add772ef8652ab77a0735b35f6469fece25cc14a 10664 oath-toolkit_2.6.1-1.4_amd64.buildinfo Files: a9a1aa53b16472c0fd74001da6ed966e 1893 devel optional oath-toolkit_2.6.1-1.4.dsc 939bd854393fb40ab2c97a3a71b01de4 21796 devel optional oath-toolkit_2.6.1-1.4.debian.tar.xz a7dde57fb1f1b2de0017abedb26597b4 10664 devel optional oath-toolkit_2.6.1-1.4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAl5sNuMACgkQPqHd3bJh 2XtnZwf+PlwQTAmawVy8aLzApqunp0Z3Zkg0q0/zLs4XgHEiHS8cv/4XFHWywlmg 0cMZBHbzVUfBn8nN9V9P0KG+0JHYt5x8EeMtift/oSfpcDFCRqUBFFwAT8/Emcb8 3mWygpSPCuEphOgw3UPzW8WO65X6/kEbfnxweCJpMuLU6riEhKRhYQ6fd303N2Lm yrLLgoKF4rIBmW6WFrNRIBigRSxo0lUFCFrutyH48Ddu5lDLjqXCWVWxaU3YxMBd hBUKIjKJyE5iMVDBXB6ihGg0cSLMXGeGvA7tUzYqt5WfnH0V+u3N8QUxI7VF78ej fjRJudPZM5xqj9l+F30Behd8zDuugQ== =GamI -----END PGP SIGNATURE----- ------------=_1585018802-29517-0-- From MAILER-DAEMON Mon Mar 30 00:48:19 2020 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jImLT-0000FA-Qm for mharc-oath-toolkit-help@gnu.org; Mon, 30 Mar 2020 00:48:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39804) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jImLR-0000Er-0r for oath-toolkit-help@nongnu.org; Mon, 30 Mar 2020 00:48:17 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jImLP-00062O-Rb for oath-toolkit-help@nongnu.org; Mon, 30 Mar 2020 00:48:16 -0400 Received: from picconi.debian.org ([2001:41c8:1000:21::21:3]:51296) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jImLP-000604-MF for oath-toolkit-help@nongnu.org; Mon, 30 Mar 2020 00:48:15 -0400 Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:40066) from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=muffat.debian.org, EMAIL=hostmaster@muffat.debian.org (verified) by picconi.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jImDT-0007KE-8j for oath-toolkit@packages.debian.org; Mon, 30 Mar 2020 04:40:03 +0000 Received: from respighi.debian.org ([2001:41c8:1000:21::21:29]:40516) from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=respighi.debian.org, EMAIL=hostmaster@respighi.debian.org (verified) by muffat.debian.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jImCs-0003Qq-VQ; Mon, 30 Mar 2020 04:39:26 +0000 Received: from release by respighi.debian.org with local (Exim 4.92) (envelope-from ) id 1jImCr-0005RI-7E; Mon, 30 Mar 2020 04:39:25 +0000 From: Debian testing watch Precedence: bulk X-Trille: 0.180412.1742 Subject: oath-toolkit 2.6.1-1.4 MIGRATED to testing X-Testing-Watch-Package: oath-toolkit X-Testing-Watch-Version: 2.6.1-1.4 To: oath-toolkit@packages.debian.org Message-Id: Date: Mon, 30 Mar 2020 04:39:25 +0000 Delivered-To: oath-toolkit@packages.debian.org X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:41c8:1000:21::21:3 X-BeenThere: oath-toolkit-help@nongnu.org X-Mailman-Version: 2.1.23 List-Id: OATH Toolkit general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Mar 2020 04:48:18 -0000 FYI: The status of the oath-toolkit source package in Debian's testing distribution has changed. Previous version: 2.6.1-1.3 Current version: 2.6.1-1.4 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. From MAILER-DAEMON Mon Mar 30 17:01:48 2020 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jJ1XX-0004i1-RR for mharc-oath-toolkit-help@gnu.org; Mon, 30 Mar 2020 17:01:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55902) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jJ09O-0006uT-4Q for oath-toolkit-help@nongnu.org; Mon, 30 Mar 2020 15:32:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jJ09M-00016h-8V for oath-toolkit-help@nongnu.org; Mon, 30 Mar 2020 15:32:45 -0400 Received: from mail-vk1-xa44.google.com ([2607:f8b0:4864:20::a44]:33370) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1jJ09M-00015o-31 for oath-toolkit-help@nongnu.org; Mon, 30 Mar 2020 15:32:44 -0400 Received: by mail-vk1-xa44.google.com with SMTP id f63so5045055vkh.0 for ; Mon, 30 Mar 2020 12:32:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=A8N+3MdM0PKkAHQbloC9GHzspbtUZZGNLCK7qsWfQLw=; b=UbLS04Dxzn/JQrh6puU01CAas6i0WyaOZUxqZuhS1z6OnQ52f8sFYG8qoqihVmA3um 2gKJfHqujMYHpr93SCK9zAaLeA0PbRY/lmvkZFuq43LLBBx65slqCHJCD3QromJh4i2N ASnAuvna7KmbiXFlYTKsn3R2x6oAquiQSiPLCEqozMpjFZP3Hj1rs0aDDi/XVyg60I06 h5sF1oq4EGuXj2WzM3XLwj7OORYp/Ra3ZTDdh1ozkxhXOROCcTOR0vKkJkByrK6UcReQ hJytEK63hSckUpaCPM8qcd0ljs9yhZzd56w8iaSv9TU9dxVdzrO4vluds17xT5KDQ7QE C3Tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=A8N+3MdM0PKkAHQbloC9GHzspbtUZZGNLCK7qsWfQLw=; b=P4qIoGO7vzxlUxlMgRYb58S47i+sLEqYOjVjZdLPlT9JCsvtPmmk6YIZR+w4fSR/Mu MUY7ZJw9B3LIIbUiTLObOJ7w6kiavuUh7+zIezNykLG09rbugZkJngzKWyxBE340ike4 Xh9rldssq0TV2h+GgIUvuh0uAWyqSnsApUSWTjBSlDbn+bdMt3GLtnOflcUcMqEmqSpN ze2A/b/PnEK3xYuAqfDUWEbjHCTdlWLB4e0qx3VS0GJ1RCmdFVLHk7QmGw+zBZjRW+tl vdiI5+MAeesD8Nj0YrXEgffhoGytbvqs6a0jxiH2KNacG3HvUUYvbdpzH8CyaDEt1Jom JFww== X-Gm-Message-State: AGi0Pub8Bt/XBik7aT/whowZYUANm0AQSuLVkRRQQrgPnpLSbbu7W1W0 5DsIIlY8YI22p553eOJ61qPZhvnzL0TE1IUzo0z4wbbMaLA= X-Google-Smtp-Source: APiQypKt7p2WXnRj2ON0gDBsMjOzg48/r0XfPq8a2Fl0A4ZEHPVf3LqyexZUSVcTNVzraOcM5I6HnhdyXtPO6+/U1H0= X-Received: by 2002:a1f:60d5:: with SMTP id u204mr8814112vkb.55.1585596762396; Mon, 30 Mar 2020 12:32:42 -0700 (PDT) MIME-Version: 1.0 From: Paul Klump Date: Mon, 30 Mar 2020 15:32:30 -0400 Message-ID: Subject: CentOS 7 configured for 2FA SSH access via pam_oath - allows any string 6 characters or less for one-time password To: oath-toolkit-help@nongnu.org Content-Type: multipart/alternative; boundary="000000000000c79bec05a2178355" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::a44 X-Mailman-Approved-At: Mon, 30 Mar 2020 17:01:43 -0400 X-BeenThere: oath-toolkit-help@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: OATH Toolkit general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Mar 2020 19:32:48 -0000 --000000000000c79bec05a2178355 Content-Type: text/plain; charset="UTF-8" Hello all, So I've been reading up on configuring a CentOS 7 machine for 2 factor authentication for SSH, using pam_oath and the FreeOTP phone app, plus local usernames/password for the two factors. I've read various online articles, and all seem to follow the basic instructions listed in the following articles: https://wiki.archlinux.org/index.php/Pam_oath https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/ https://www.brianlane.com/post/setup-oath-ssh-login-on-fedora/ Before I do this on my main CentOS machine, I spun up a VirtualBox VM for testing, and did a minimum CentOS 7 install. I followed the instructions, and I get prompted for "One-time password (OATH)" credentials, but I noticed that I can input any alphanumeric string that's 6 characters or less for the OATH password, and it will then prompt me for my local username/password. And as long as I enter the local password correctly, I'm granted shell access. Here are the steps I followed after the initial minimal CentOS 7 install (CentOS Linux release 7.7.1908 (Core)): 1) Install packages --- yum update && yum upgrade yum install epel-release yum install pam_oath oathtool gen-oath-safe --- 2) edit /etc/pam.d/sshd, and added the following line as the first non-commented line: --- auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6 --- So first few lines of the /etc/pam.d/sshd look like this before: --- #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions --- And after: --- #%PAM-1.0 auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6 auth required pam_sepermit.so auth substack password-auth auth include postlogin --- 3) generate keys for my local account: --- gen-oath-safe jdoe hotp --- 4) Add key to FreeOTP app on phone via QR code 5) Add the hex code to /etc/liboath/users.oath: --- HOTP jdoe - REDACTED --- 6) edit the /etc/ssh/sshd_config file and make sure the following settings are in place: --- UsePAM yes ChallengeResponseAuthentication yes PasswordAuthentication yes --- 7) set SELinux permissions on /etc/liboath: --- semanage fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?' restorecon -rv /etc/liboath/ --- 8) Restart SSH: --- systemctl restart sshd --- So when I SSH into this host, and enter any string 6 characters or less, I'm let through to login with the local password: --- login as: jdoe Keyboard-interactive authentication prompts from server: One-time password (OATH) for `jdoe': Password: End of keyboard-interactive prompts from server Last login: Sun Mar 22 18:03:08 2020 from 192.168.1.240 [jdoe@pkcentos7 ~] --- If I enter a string 7 characters or more for the OATH password, the following occurs: --- login as: jdoe Keyboard-interactive authentication prompts from server: One-time password (OATH) for `jdoe': End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: One-time password (OATH) for `jdoe': End of keyboard-interactive prompts from server Access denied Keyboard-interactive authentication prompts from server: One-time password (OATH) for `jdoe': --- I've looked through various other articles returned from Google searches, and I don't clearly see a step or setting I'm missing. Any help on this would be greatly appreciated. Thanks in advance, and if any additional information is needed, please let me know. Paul --000000000000c79bec05a2178355 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello all,

So I've been reading up = on configuring a CentOS 7 machine for 2 factor authentication for SSH, usin= g pam_oath and the FreeOTP phone app, plus local usernames/password for the= two factors. I've read various online articles, and all seem to follow= the basic instructions listed in the following articles:

https://wiki.archlinux.org/= index.php/Pam_oath

https://jonarcher.info/20= 15/07/hardening-ssh-with-otp-for-2-factor-authentication/

https:= //www.brianlane.com/post/setup-oath-ssh-login-on-fedora/

Before = I do this on my main CentOS machine, I spun up a VirtualBox VM for testing,= and did a minimum CentOS 7 install. I followed the instructions, and I get= prompted for "One-time password (OATH)" credentials, but I notic= ed that I can input any alphanumeric string that's 6 characters or less= for the OATH password, and it will then prompt me for my local username/pa= ssword. And as long as I enter the local password correctly, I'm grante= d shell access.

Here are the steps I followed after the initial mini= mal CentOS 7 install (CentOS Linux release 7.7.1908 (Core)):

1) Inst= all packages

---
yum update && yum upgrade

yum ins= tall epel-release

yum install pam_oath oathtool gen-oath-safe
---=

2) edit /etc/pam.d/sshd, and added the following line as the first = non-commented line:

---
auth sufficient pam_oath.so usersfile=3D/= etc/liboath/users.oath window=3D10 digits=3D6
---

So first few li= nes of the /etc/pam.d/sshd look like this before:

---
#%PAM-1.0auth =C2=A0 =C2=A0 =C2=A0 required =C2=A0 =C2=A0 pam_sepermit.so
auth = =C2=A0 =C2=A0 =C2=A0 substack =C2=A0 =C2=A0 password-auth
auth =C2=A0 = =C2=A0 =C2=A0 include =C2=A0 =C2=A0 =C2=A0postlogin
# Used with polkit t= o reauthorize users in remote sessions
---

And after:

---<= br>#%PAM-1.0
auth sufficient pam_oath.so usersfile=3D/etc/liboath/users.= oath window=3D10 digits=3D6
auth =C2=A0 =C2=A0 =C2=A0 required =C2=A0 = =C2=A0 pam_sepermit.so
auth =C2=A0 =C2=A0 =C2=A0 substack =C2=A0 =C2=A0 = password-auth
auth =C2=A0 =C2=A0 =C2=A0 include =C2=A0 =C2=A0 =C2=A0post= login
---

3) generate keys for my local account:

---
ge= n-oath-safe jdoe hotp
---

4) Add key to FreeOTP app on phone via = QR code

5) Add the hex code to /etc/liboath/users.oath:

---HOTP jdoe - REDACTED
---

6) edit the /etc/ssh/sshd_config file = and make sure the following settings are in place:

---
UsePAM yes=
ChallengeResponseAuthentication yes
PasswordAuthentication yes
--= -

7) set SELinux permissions on /etc/liboath:

---
semanage= fcontext -a -t systemd_passwd_var_run_t '/etc/liboath(/.*)?'
re= storecon -rv /etc/liboath/
---

8) Restart SSH:

---
syst= emctl restart sshd
---

So when I SSH into this host, and enter an= y string 6 characters or less, I'm let through to login with the local = password:

---
login as: jdoe
Keyboard-interactive authenticati= on prompts from server:
=C2=A0One-time password (OATH) for `jdoe':=C2=A0Password:
End of keyboard-interactive prompts from server
Las= t login: Sun Mar 22 18:03:08 2020 from 192.168.1.240
[jdoe@pkcentos7 ~]<= br>---

If I enter a string 7 characters or more for the OATH passwor= d, the following occurs:

---
login as: jdoe
Keyboard-interacti= ve authentication prompts from server:
=C2=A0One-time password (OATH) fo= r `jdoe':
End of keyboard-interactive prompts from server
Access = denied
Keyboard-interactive authentication prompts from server:
=C2= =A0One-time password (OATH) for `jdoe':
End of keyboard-interactive = prompts from server
Access denied
Keyboard-interactive authentication= prompts from server:
=C2=A0One-time password (OATH) for `jdoe':
= ---

I've looked through various other articles returned from Goo= gle searches, and I don't clearly see a step or setting I'm missing= .

Any help on this would be greatly appreciated. Thanks in advance, = and if any additional information is needed, please let me know.

Pau= l
--000000000000c79bec05a2178355--