From c7318a825c6b00a2a819f5957ede2b61d0dab2c4 Mon Sep 17 00:00:00 2001 From: BDBSAlive6one6 <68449698+DoveSono@users.noreply.github.com> Date: Thu, 2 Apr 2026 15:06:21 +0300 Subject: [PATCH] =?UTF-8?q?fix(PamAuth):=20=D0=B4=D0=BE=D0=B1=D0=B0=D0=B2?= =?UTF-8?q?=D0=BB=D0=B5=D0=BD=20=D0=B2=D1=8B=D0=B7=D0=BE=D0=B2=20pam=5Facc?= =?UTF-8?q?t=5Fmgmt(),=20=D0=B8=D1=81=D0=BF=D1=80=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=20pam=5Fstart()=20(#1203)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Добавлен вызов pam_acct_mgmt() после pam_authenticate() для проверки прав доступа на уровне PAM (HBAC, истечение пароля, блокировка учётки) Исправлена передача реального username в pam_start() вместо '3proxy@' --- Added pam_acct_mgmt() call after pam_authenticate() to enable PAM account checks (HBAC, password expiration, account lockout). Fixed pam_start() to pass actual username instead of hardcoded '3proxy@' Tested with FreeIPA 4.12 + SSSD Rocky Linux 9 --- src/plugins/PamAuth/pamauth.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/plugins/PamAuth/pamauth.c b/src/plugins/PamAuth/pamauth.c index 3f2870e..d8646aa 100644 --- a/src/plugins/PamAuth/pamauth.c +++ b/src/plugins/PamAuth/pamauth.c @@ -92,7 +92,7 @@ static int pamfunc(struct clientparam *param) pthread_mutex_lock(&pam_mutex); if (!pamh) { - retval = pam_start ((char *)service, "3proxy@" , &conv, &pamh); + retval = pam_start ((char *)service, (char *)param->username, &conv, &pamh); } if (retval == PAM_SUCCESS) retval = pam_set_item (pamh, PAM_USER, param->username); @@ -102,6 +102,8 @@ static int pamfunc(struct clientparam *param) /*fprintf(stderr,"pam_set_item2 rc=%d\n",retval); */ if (retval == PAM_SUCCESS) retval = pam_authenticate (pamh, 0); + if (retval == PAM_SUCCESS) + retval = pam_acct_mgmt (pamh, 0); /*fprintf(stderr,"pam_authenticate rc=%d\n",retval);*/ if (retval == PAM_SUCCESS) { /*auth OK*/ rc=0; }