fix(PamAuth): добавлен вызов pam_acct_mgmt(), исправлен pam_start() (#1203)

Добавлен вызов pam_acct_mgmt() после pam_authenticate() для проверки прав доступа на уровне PAM (HBAC, истечение пароля, блокировка учётки) Исправлена передача реального username в pam_start() вместо '3proxy@' --- Added pam_acct_mgmt() call after pam_authenticate() to enable PAM account checks (HBAC, password expiration, account lockout). Fixed pam_start() to pass actual username instead of hardcoded '3proxy@' Tested with FreeIPA 4.12 + SSSD Rocky Linux 9
2026-04-06 21:30:12 +08:00 · 2026-04-02 15:06:21 +03:00 · 2026-04-02 15:06:21 +03:00 · c7318a825c
commit c7318a825c
parent 1f92847a63
1 changed files with 3 additions and 1 deletions
--- a/src/plugins/PamAuth/pamauth.c
+++ b/src/plugins/PamAuth/pamauth.c
@ -92,7 +92,7 @@ static int pamfunc(struct clientparam *param)
  pthread_mutex_lock(&pam_mutex);
  if (!pamh)
    {
-	retval = pam_start ((char *)service, "3proxy@" , &conv, &pamh);
+	retval = pam_start ((char *)service, (char *)param->username, &conv, &pamh);
    }
   if (retval == PAM_SUCCESS)
       retval = pam_set_item (pamh, PAM_USER, param->username); 
@ -102,6 +102,8 @@ static int pamfunc(struct clientparam *param)
 /*fprintf(stderr,"pam_set_item2 rc=%d\n",retval); */       
   if (retval == PAM_SUCCESS)
         retval = pam_authenticate (pamh, 0);  
+   if (retval == PAM_SUCCESS)
+       retval = pam_acct_mgmt (pamh, 0);
 /*fprintf(stderr,"pam_authenticate rc=%d\n",retval);*/
   
   if (retval == PAM_SUCCESS) {  /*auth OK*/  rc=0;   }