To me it looks like the pam authenticator check miss a check with pam_acct_mgmt in addition to the pam_authenticate that is already there, see the attached patch.
myproxy has similar code, and does a similar thing here: https://sources.debian.org/src/myproxy/6.2.14-2/auth_pam.c/?hl=227#L227 (It checks first with pam_authenticate(), then with pam_acct_mgmt(), and would fail if account or password is expired). -- Andreas Rönnquist gus...@debian.org
From: =?utf-8?q?Andreas_R=C3=B6nnquist?= <gus...@librem.one> Date: Thu, 11 Aug 2022 14:47:53 +0200 Subject: CVE-2022-26562: Check account validation in addition to authentication --- provider/libserver/ECKrbAuth.cpp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/provider/libserver/ECKrbAuth.cpp b/provider/libserver/ECKrbAuth.cpp index cce39fb..c539a15 100644 --- a/provider/libserver/ECKrbAuth.cpp +++ b/provider/libserver/ECKrbAuth.cpp @@ -129,11 +129,21 @@ ECRESULT ECPAMAuthenticateUser(const char *szPamService, return KCERR_LOGON_FAILED; } res = pam_authenticate(pamh, PAM_SILENT); - pam_end(pamh, res); if (res != PAM_SUCCESS) { *lpstrError = pam_strerror(nullptr, res); + pam_end(pamh, res); return KCERR_LOGON_FAILED; } + + res = pam_acct_mgmt(pamh, PAM_SILENT); + if (res != PAM_SUCCESS) { + *lpstrError = pam_strerror(nullptr, res); + pam_end(pamh, res); + return KCERR_LOGON_FAILED; + } + + pam_end(pamh, res); + return erSuccess; }