dcommander
commented
3 years ago Thanks for the patch. To whom should I attribute it in the copyright header?
Closed ayoder770 closed 3 years ago
dcommander
commented
3 years ago Thanks for the patch. To whom should I attribute it in the copyright header?
ayoder770
commented
3 years ago I authored the change: Andrew Yoder. If I need to submit that update let me know. Thank you.
dcommander
commented
3 years ago No, that's fine. I'll add it to the copyright header myself when I integrate the patch.
dcommander
commented
3 years ago Integrated. (I was able to reproduce the issue without LDAP, incidentally. It affected /etc/passwd accounts as well.)
Sorry for the delay in integrating this. I was distracted by getting VirtualGL 2.6.5 and libjpeg-turbo 2.1 beta out the door. I'll be focusing on TurboVNC bug fixes over the next week or so in anticipation of an upcoming TurboVNC 2.2.6 release, with TurboVNC 3.0 beta to follow.
It was noticed in my environment that a user with an expired LDAP password was still able to connect to a VNC session with user ACLs in place. This may not be true in all cases, but we're using pam_sss for PAM authentication which will return true for pam_authenticate on an expired password and expects pam_acct_mgmt to be called as well which validates the user's account status. This PR adds the pam_acct_mgmt function call to the PAM API calls during PAM authentication to ensure the authenticating user's account is always being validated before granting access.