From 3274a31153e9b730ec04874c61fc5119df6eb46b Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 7 Aug 2019 15:33:51 +0200
Subject: [PATCH] pam: Don't ask for fingerprints for remote logins

As written in the "Linux-PAM Application Developers' Guide"
at http://www.linux-pam.org/Linux-PAM-html/adg-security-user-identity.html:
"
As a general rule, the following convention for its value can be
assumed: NULL = unknown; localhost = invoked directly from the
local system; other.place.xyz = some component of the user's
connection originates from this remote/requesting host.
"

So also exit early if the hostname isn't localhost as it should be.

Closes: #21
---
 pam/pam_fprintd.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pam/pam_fprintd.c b/pam/pam_fprintd.c
index 74df661..19420fc 100644
--- a/pam/pam_fprintd.c
+++ b/pam/pam_fprintd.c
@@ -476,7 +476,13 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 					   G_TYPE_NONE, G_TYPE_STRING, G_TYPE_BOOLEAN, G_TYPE_INVALID);
 
 	pam_get_item(pamh, PAM_RHOST, (const void **)(const void*) &rhost);
-	if (rhost != NULL && strlen(rhost) > 0) {
+
+	if (rhost == NULL || *rhost == '\0') {
+		/* unavailable host information */
+		return PAM_AUTHINFO_UNAVAIL;
+	}
+
+	if (strcmp (rhost, "localhost") != 0) {
 		/* remote login (e.g. over SSH) */
 		return PAM_AUTHINFO_UNAVAIL;
 	}