svn commit: r207553 - head/lib/libpam/modules/pam_krb5

Mon, 03 May 2010 00:32:56 -0700 

Author: mm
Date: Mon May  3 07:32:24 2010
New Revision: 207553
URL: http://svn.freebsd.org/changeset/base/207553

Log:
  Implement the no_user_check option to pam_krb5.
  
  This option is available in the Linux implementation of pam_krb5
  and allows to authorize a user not known to the local system.
  
  Ccache is not used as we don't have a secure uid/gid for the cache file.
  
  Usable for authentication of external kerberos users (e.g Active Directory)
  via PAM from applications like Cyrus saslauthd, PHP or perl.
  
  PR:           bin/146186
  Submitted by: myself
  Approved by:  deplhij (mentor)
  MFC after:    2 weeks

Modified:
  head/lib/libpam/modules/pam_krb5/pam_krb5.8
  head/lib/libpam/modules/pam_krb5/pam_krb5.c

Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.8
==============================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.8 Mon May  3 07:08:16 2010        
(r207552)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.8 Mon May  3 07:32:24 2010        
(r207553)
@@ -108,6 +108,10 @@ and
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option because there is no secure local uid/gid for the cache file.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component

Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c
==============================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.c Mon May  3 07:08:16 2010        
(r207552)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.c Mon May  3 07:32:24 2010        
(r207553)
@@ -89,6 +89,7 @@ static void   compat_free_data_contents(kr
 #define PAM_OPT_DEBUG          "debug"
 #define PAM_OPT_FORWARDABLE    "forwardable"
 #define PAM_OPT_NO_CCACHE      "no_ccache"
+#define PAM_OPT_NO_USER_CHECK  "no_user_check"
 #define PAM_OPT_REUSE_CCACHE   "reuse_ccache"
 
 /*
@@ -194,6 +195,10 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 
        PAM_LOG("Got password");
 
+       if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
+               PAM_LOG("Skipping local user check");
+       else {
+
        /* Verify the local user exists (AFTER getting the password) */
        if (strchr(user, '@')) {
                /* get a local account name for this principal */
@@ -221,6 +226,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
        }
 
        PAM_LOG("Done getpwnam()");
+       }
 
        /* Get a TGT */
        memset(&creds, 0, sizeof(krb5_creds));
@@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
                return (PAM_SERVICE_ERR);
 
        /* If a persistent cache isn't desired, stop now. */
-       if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+       if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+               openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
                return (PAM_SUCCESS);
 
        PAM_LOG("Establishing credentials");
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"

Reply via email to