svn commit: r208193 - stable/8/lib/libpam/modules/pam_krb5

Mon, 17 May 2010 07:28:12 -0700 

Author: mm
Date: Mon May 17 14:27:40 2010
New Revision: 208193
URL: http://svn.freebsd.org/changeset/base/208193

Log:
  MFC r207553, r207555, r207651:
  
  Implement the no_user_check option to pam_krb5.
  
  This option is available in the Linux implementation of pam_krb5
  and allows to authorize a user not known to the local system.
  
  Ccache is not used as we don't have a secure uid/gid for the cache file.
  
  Usable for authentication of external kerberos users (e.g Active Directory)
  via PAM from applications like Cyrus saslauthd, PHP or perl.
  
  PR:           bin/146186
  Approved by:  deplhij (mentor)

Modified:
  stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8
  stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c
Directory Properties:
  stable/8/lib/libpam/   (props changed)

Modified: stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8
==============================================================================
--- stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8     Mon May 17 14:20:26 
2010        (r208192)
+++ stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8     Mon May 17 14:27:40 
2010        (r208193)
@@ -1,7 +1,7 @@
 .\"
 .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $
 .\" $FreeBSD$
-.Dd January 15, 1999
+.Dd May 3, 2010
 .Dt PAM_KRB5 8
 .Os
 .Sh NAME
@@ -108,6 +108,10 @@ and
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option because there is no secure local uid/gid for the cache file.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component

Modified: stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c
==============================================================================
--- stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c     Mon May 17 14:20:26 
2010        (r208192)
+++ stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c     Mon May 17 14:27:40 
2010        (r208193)
@@ -89,6 +89,7 @@ static void   compat_free_data_contents(kr
 #define PAM_OPT_DEBUG          "debug"
 #define PAM_OPT_FORWARDABLE    "forwardable"
 #define PAM_OPT_NO_CCACHE      "no_ccache"
+#define PAM_OPT_NO_USER_CHECK  "no_user_check"
 #define PAM_OPT_REUSE_CCACHE   "reuse_ccache"
 
 /*
@@ -194,34 +195,39 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 
        PAM_LOG("Got password");
 
-       /* Verify the local user exists (AFTER getting the password) */
-       if (strchr(user, '@')) {
-               /* get a local account name for this principal */
-               krbret = krb5_aname_to_localname(pam_context, princ,
-                   sizeof(luser), luser);
-               if (krbret != 0) {
-                       PAM_VERBOSE_ERROR("Kerberos 5 error");
-                       PAM_LOG("Error krb5_aname_to_localname(): %s",
-                           krb5_get_err_text(pam_context, krbret));
-                       retval = PAM_USER_UNKNOWN;
-                       goto cleanup2;
+       if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
+               PAM_LOG("Skipping local user check");
+       else {
+
+               /* Verify the local user exists (AFTER getting the password) */
+               if (strchr(user, '@')) {
+                       /* get a local account name for this principal */
+                       krbret = krb5_aname_to_localname(pam_context, princ,
+                           sizeof(luser), luser);
+                       if (krbret != 0) {
+                               PAM_VERBOSE_ERROR("Kerberos 5 error");
+                               PAM_LOG("Error krb5_aname_to_localname(): %s",
+                                   krb5_get_err_text(pam_context, krbret));
+                               retval = PAM_USER_UNKNOWN;
+                               goto cleanup2;
+                       }
+
+                       retval = pam_set_item(pamh, PAM_USER, luser);
+                       if (retval != PAM_SUCCESS)
+                               goto cleanup2;
+
+                       PAM_LOG("PAM_USER Redone");
                }
 
-               retval = pam_set_item(pamh, PAM_USER, luser);
-               if (retval != PAM_SUCCESS)
+               pwd = getpwnam(user);
+               if (pwd == NULL) {
+                       retval = PAM_USER_UNKNOWN;
                        goto cleanup2;
+               }
 
-               PAM_LOG("PAM_USER Redone");
-       }
-
-       pwd = getpwnam(user);
-       if (pwd == NULL) {
-               retval = PAM_USER_UNKNOWN;
-               goto cleanup2;
+               PAM_LOG("Done getpwnam()");
        }
 
-       PAM_LOG("Done getpwnam()");
-
        /* Get a TGT */
        memset(&creds, 0, sizeof(krb5_creds));
        krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
@@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
                return (PAM_SERVICE_ERR);
 
        /* If a persistent cache isn't desired, stop now. */
-       if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+       if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+               openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
                return (PAM_SUCCESS);
 
        PAM_LOG("Establishing credentials");
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to