vtysh: Account validity should be verified when authenticating users with PAM.

Description: SonarQube detects the following behaviour as a vulanarability. When authenticating users using PAM, it is strongly recommended to check the validity of the account (not locked, not expired ...), otherwise it leads to unauthorized access to resources. pam_acct_mgmt() should be called for account validity after calling pam_authenticate(). Signed-off-by: Rajesh Girada <rgirada@vmware.com>
author: rgirada <rgirada@vmware.com> 2022-06-23 07:37:28 -0700
committer: rgirada <rgirada@vmware.com> 2022-06-23 11:15:47 -0700
commit: 264a2a273fd1bf6543cef6bccf9019d09249b1a1 (patch)
tree: a6051e3187cff5950631ff68c3a1fb2040f0cfb6
parent: 8a8fd10a47c944f469f21e0aeb636f843685b891 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/vtysh/vtysh_user.c b/vtysh/vtysh_user.c
index 665e6ca90d..1ed284809e 100644
--- a/vtysh/vtysh_user.c
+++ b/vtysh/vtysh_user.c
@@ -71,6 +71,10 @@ static int vtysh_pam(const char *user)
 		fprintf(stderr, "vtysh_pam: Failure to initialize pam: %s(%d)",
 			pam_strerror(pamh, ret), ret);
 
+	if (pam_acct_mgmt(pamh, 0) != PAM_SUCCESS)
+		fprintf(stderr, "%s: Failed in account validation: %s(%d)",
+			__func__, pam_strerror(pamh, ret), ret);
+
 	/* close Linux-PAM */
 	if (pam_end(pamh, ret) != PAM_SUCCESS) {
 		pamh = NULL;
author	rgirada <rgirada@vmware.com>	2022-06-23 07:37:28 -0700
committer	rgirada <rgirada@vmware.com>	2022-06-23 11:15:47 -0700
commit	264a2a273fd1bf6543cef6bccf9019d09249b1a1 (patch)
tree	a6051e3187cff5950631ff68c3a1fb2040f0cfb6
parent	8a8fd10a47c944f469f21e0aeb636f843685b891 (diff)