vtysh: Account validity should be verified when authenticating users with PAM.

Description:
	SonarQube detects the following behaviour as a vulanarability.
	When authenticating users using PAM, it is strongly recommended to
	check the validity of the account (not locked, not expired ...),
	otherwise it leads to unauthorized access to resources.

	pam_acct_mgmt() should be called for account validity after
	calling pam_authenticate().

Signed-off-by: Rajesh Girada <rgirada@vmware.com>
This commit is contained in:
rgirada 2022-06-23 07:37:28 -07:00
parent 8a8fd10a47
commit 264a2a273f

View File

@ -71,6 +71,10 @@ static int vtysh_pam(const char *user)
fprintf(stderr, "vtysh_pam: Failure to initialize pam: %s(%d)",
pam_strerror(pamh, ret), ret);
if (pam_acct_mgmt(pamh, 0) != PAM_SUCCESS)
fprintf(stderr, "%s: Failed in account validation: %s(%d)",
__func__, pam_strerror(pamh, ret), ret);
/* close Linux-PAM */
if (pam_end(pamh, ret) != PAM_SUCCESS) {
pamh = NULL;