Nick Clifford <[EMAIL PROTECTED]> writes:Yup, heres the patch. It doesn't modify the configure script. Only configure.in, so you'll need to run autoconf after applying the patch
> ps. Oh and if anyone is interested, we modified CVS to use PAM for
> authentication instead of the /etc/passwd file. The patch is rough, but
> it works. If anyone wants it, let me know.I'm interested. Perhaps you'd like to post the patch to the list as
well?
It should apply no probs, it works on cvs-1.10.7
The patch is, as I said, rough. It doesn't correctly implement pam support as per the documentation, as pam requires prompting the user. I hard coded it so when pam wants a cleartext string, it gives it the username, and when it wants a password string, i give it the password.
This could be hacked better by putting the support in pserver_authenticate_connection() rather than in check_password. But however as it is with most changes, it was done because it was needed, so making it nice and proper wasn't the top priority.
Oh, btw - Michael thanks for the info, we're going to try that later in the day. My only concern is it *appears* sometimes a vendor import seems to merge changes rather than replace them. But we'll give your idea a go, and see what happens
Nick
-- Nick Clifford M2 Technology Ltd Phone +64 9 444 8307 ext 260 Fax +64 9 444 8315 Email [EMAIL PROTECTED] Web http://www.m2tech.co.nz/
Confidentiality: This e-mail is from M2 Technology Limited. The contents are confidential and are intended only for the named recipient of the e-mail. If the reader of this e-mail is not the intended recipient you are hereby notified that any use, copying, disclosure or distribution of the information contained in the e-mail is strictly prohibited. If you have received this e-mail in error, please reply to us immediately at the above e-mail address and delete the document from your e-mail system. Viruses: Any loss or damage caused by using this material is not the senders responsibility. M2 Technology Limited entire liability will be limited to re-supplying the contents contained in the e-mail. No warranty is made the contents are free from computer virus or other defect.
Index: cvs/config.h.in
diff -c cvs/config.h.in:1.1.1.1 cvs/config.h.in:1.2
*** cvs/config.h.in:1.1.1.1 Mon Jun 26 16:19:06 2000
--- cvs/config.h.in Mon Jun 26 19:06:59 2000
***************
*** 275,277 ****
--- 275,281 ----
/* Define if you have the socket library (-lsocket). */
#undef HAVE_LIBSOCKET
+
+ /* Define if you have PAM support */
+ #undef HAVE_LIBPAM
+
Index: cvs/configure.in
diff -c cvs/configure.in:1.1.1.1 cvs/configure.in:1.2
*** cvs/configure.in:1.1.1.1 Mon Jun 26 16:19:06 2000
--- cvs/configure.in Mon Jun 26 19:06:59 2000
***************
*** 350,355 ****
--- 350,360 ----
fi
fi # enable_server
+ AC_CHECK_LIB(pam, pam_start)
+ if test "$ac_cv_lib_pam_pam_start" = yes; then
+ AC_DEFINE(HAVE_LIBPAM)
+ fi
+
dnl For the moment we will assume that all systems which have
dnl the unixyness to run configure are unixy enough to do the
dnl PreservePermissions stuff. I have this sinking feeling that
Index: cvs/src/server.c
diff -c cvs/src/server.c:1.1.1.1 cvs/src/server.c:1.3
*** cvs/src/server.c:1.1.1.1 Mon Jun 26 16:19:23 2000
--- cvs/src/server.c Mon Jun 26 19:06:59 2000
***************
*** 118,123 ****
--- 118,128 ----
#endif
#endif /* AUTH_SERVER_SUPPORT */
+ #ifdef HAVE_LIBPAM
+ #include <security/pam_appl.h>
+ #include <security/pam_misc.h>
+ #endif /* HAVE_LIBPAM */
+
/* For initgroups(). */
#if HAVE_INITGROUPS
#include <grp.h>
***************
*** 5265,5271 ****
--- 5270,5361 ----
return retval;
}
+ #ifdef HAVE_LIBPAM
+ /* CVS PAM support
+ *
+ * This module is a big "hack"
+ * the basic outline was taken from libapache-mod-auth-pam.
+ * There is a chance that this hack may be secure, however I wouldn't
+ * bank on it.
+ * The biggest problem is the cvs_pam_conv function, it doesn't do
+ * what its suppose to do. It just guesses that if the PAM module wants
+ * to prompt the user, with echo, then it wants the users username, and
+ * if it wants to prompt the user without echo, it wants the password.
+ *
+ * In order to support PAM authentication correctly, futher modification
+ * would need to be done, specifically to the
+ * pserver_authenticate_connection() function.
+ *
+ * Jun 2000, Nick Clifford <[EMAIL PROTECTED]>
+ */
+ struct pam_userinfo {
+ char *name;
+ char *pass;
+ };
+
+ static int cvs_pam_conv(int num_msg, const struct pam_message **msg,
+ struct pam_response **resp,
+ void *appdata_ptr)
+ {
+ int i;
+ struct pam_response *response = NULL;
+ struct pam_userinfo *userinfo = (struct pam_userinfo *) appdata_ptr;
+
+ if (!resp || !msg || !appdata_ptr)
+ return PAM_CONV_ERR;
+
+ response = (struct pam_response *) malloc(num_msg *
+ sizeof(struct pam_response));
+ if (response == NULL)
+ return PAM_CONV_ERR;
+
+ for(i = 0; i < num_msg; i++) {
+ response[i].resp_retcode = 0;
+ response[i].resp = 0;
+ switch(msg[i]->msg_style) {
+ case PAM_PROMPT_ECHO_ON:
+ response[i].resp = strdup(userinfo->name);
+ break;
+ case PAM_PROMPT_ECHO_OFF:
+ response[i].resp = strdup(userinfo->pass);
+ break;
+ default:
+ if (response)
+ free(response);
+ return PAM_CONV_ERR;
+ }
+ }
+ *resp = response;
+ return PAM_SUCCESS;
+ }
+ static char *check_pam(char *username, char *password)
+ {
+ struct pam_conv conv;
+ pam_handle_t *pamh=NULL;
+ int retval;
+ struct pam_userinfo userinfo;
+
+ conv.conv = cvs_pam_conv;
+ userinfo.name = username;
+ userinfo.pass = password;
+ conv.appdata_ptr = (void *) &userinfo;
+
+ retval = pam_start("cvs",username,&conv,&pamh);
+ if (retval != PAM_SUCCESS)
+ return NULL;
+ retval = pam_authenticate(pamh, 0);
+ if (retval != PAM_SUCCESS)
+ return NULL;
+ retval = pam_acct_mgmt(pamh,0);
+ if (retval != PAM_SUCCESS)
+ return NULL;
+ if (pam_end(pamh,retval) != PAM_SUCCESS)
+ return NULL;
+ return username;
+ }
+ #endif
+
/* Return a hosting username if password matches, else NULL. */
static char *
check_password (username, password, repository)
***************
*** 5284,5289 ****
--- 5374,5392 ----
if (rc == 2)
return NULL;
+ #ifdef HAVE_LIBPAM
+ if (rc == 1)
+ {
+ goto handle_return;
+ }
+ else if (rc == 0 && system_auth)
+ {
+ host_user = check_pam(username,password);
+ }
+ goto handle_return;
+
+ #else
+
/* else */
if (rc == 1)
***************
*** 5381,5386 ****
--- 5484,5490 ----
goto handle_return;
}
+ #endif
handle_return:
if (host_user)
{
