[PATCH] Strip Windows domain in PAM basic authenticator

Tue, 05 Mar 2013 10:17:50 -0800 


This might be slightly controversial... :)
When accessing Squid from a Windows machine that is not logged onto a domain, Internet Explorer presents the user with a proxy authentication dialogue box for NTLM authentication, which requires the user name to be entered as DOMAIN\user. Other software may instead choose to use basic auth (handled by the basic_pam_auth authenticator) and pops up a similar authentication box which requires the bare user name (no "DOMAIN\").
It is often not clear to the user that there is a difference between these popup boxes, so they may not know whether or not to include the windows domain. The attached patch modifies basic_pam_auth so that the user can enter their user name as a bare name, "DOMAIN\user" or "user@domain" and strips the domain part off so that the bare user name can be authenticated against PAM.
This should simplify things for the users, since they can just be told to enter their details in the "DOMAIN\user" format everywhere and it should just work. Obviously not much use in a multi-domain setup, but presumably one wouldn't be authenticating against PAM in such a situation anyway (?). 

--

 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com

Direct contacts:
   Instant messager: xmpp:[email protected]
   Email:            [email protected]
   Phone:            sip:[email protected]

Sales / enquiries contacts:
   Email:            [email protected]
   Phone:            +44-844-9791439 / sip:[email protected]

Support contacts:
   Email:            [email protected]
   Phone:            +44-844-4844916 / sip:[email protected]

Index: source/helpers/basic_auth/PAM/basic_pam_auth.cc
===================================================================
--- source/helpers/basic_auth/PAM/basic_pam_auth.cc	(revision 204)
+++ source/helpers/basic_auth/PAM/basic_pam_auth.cc	(working copy)
@@ -166,6 +166,7 @@
     pam_handle_t *pamh = NULL;
     int retval = PAM_SUCCESS;
     char *user;
+    char *user_ptr;
     char *password_buf;
     char buf[HELPER_INPUT_BUFFER];
     time_t pamh_created = 0;
@@ -225,6 +226,14 @@
         rfc1738_unescape(password_buf);
         conv.appdata_ptr = (char *) password_buf;	/* from buf above. not allocated */
 
+        /* Remove DOMAIN\.. and ...@domain from the user name in case the user
+         * thought this was an NTLM authentication popup box
+         */
+        user_ptr = strchr(user, '@');
+        if (user_ptr) *user_ptr = 0;
+        user_ptr = strchr(user, '\\');
+        if (user_ptr) user = user_ptr + 1;
+
 #if _SQUID_SOLARIS_
         /* Workaround for Solaris 2.6 where the PAM library is broken
          * and does not pass appdata_ptr to the conversation routine

Reply via email to