Date: Wed, 12 Jan 2005 12:15:21 -0600 (CST) From: Dan Nelson <dnelson@allantgroup.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/76169: [PATCH] Add PAM support to cvs pserver Message-ID: <200501121815.j0CIFLdk048734@dan.emsphone.com> Resent-Message-ID: <200501121820.j0CIKMkn081104@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 76169 >Category: bin >Synopsis: [PATCH] Add PAM support to cvs pserver >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jan 12 18:20:21 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Dan Nelson >Release: FreeBSD 5.3-STABLE i386 >Organization: >Environment: System: FreeBSD dan.emsphone.com 5.3-STABLE FreeBSD 5.3-STABLE #386: Tue Jan 11 12:01:34 CST 2005 zsh@dan.emsphone.com:/usr/src/sys/i386/compile/DANSMP i386 >Description: Most of the base services have been PAM-ified, but cvs is a notable exception. CVS 1.12 will have PAM support, but I don't know when 1.12 will be declared stable. The following patch is based on Steve McIntyre's 1.11 patch at http://ccvs.cvshome.org/issues/show_bug.cgi?id=44 . >How-To-Repeat: >Fix: Index: contrib/cvs/src/server.c =================================================================== RCS file: /home/ncvs/src/contrib/cvs/src/server.c,v retrieving revision 1.24 diff -u -p -r1.24 server.c --- contrib/cvs/src/server.c 10 Jun 2004 19:12:50 -0000 1.24 +++ contrib/cvs/src/server.c 5 Jan 2005 18:25:50 -0000 @@ -20,6 +20,13 @@ #include "getline.h" #include "buffer.h" +#define HAVE_PAM + +#ifdef HAVE_PAM +#include <security/pam_appl.h> +#include <security/openpam.h> +#endif + #if defined(SERVER_SUPPORT) || defined(CLIENT_SUPPORT) # ifdef HAVE_GSSAPI /* This stuff isn't included solely with SERVER_SUPPORT since some of these @@ -5593,7 +5600,66 @@ check_repository_password (username, pas return retval; } +#ifdef HAVE_PAM + +static struct pam_conv conv = { + openpam_nullconv, + NULL +}; + +/* Modelled very closely on the example code in "The Linux-PAM + Application Developers' Guide" by Andrew G. Morgan. */ +static int +check_pam_password (username, password, repository, host_user_ptr) + char *username, *password, *repository, **host_user_ptr; +{ + pam_handle_t *pamh=NULL; + int retval; + int rc = 0; + + retval = pam_start("cvs", username, &conv, &pamh); + + if (retval == PAM_SUCCESS) + retval = pam_set_item(pamh, PAM_AUTHTOK, password); + + if (retval == PAM_SUCCESS) + retval = pam_authenticate(pamh, 0); /* is user really user? */ + + if (retval == PAM_SUCCESS) + retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ + + /* This is where we have been authorized or not. */ + + switch(retval) + { + case PAM_SUCCESS: + *host_user_ptr = xstrdup(username); + rc = 1; + break; + case PAM_AUTH_ERR: + syslog (LOG_DAEMON | LOG_ERR, + "some pam function failed: %s ", + pam_strerror(pamh, retval)); + *host_user_ptr = NULL; + rc = 2; + break; + default: + syslog (LOG_DAEMON | LOG_ERR, + "some pam function failed: %s ", + pam_strerror(pamh, retval)); + *host_user_ptr = NULL; + rc = 0; + break; + } + + if (pam_end(pamh, retval) != PAM_SUCCESS) { /* close PAM */ + pamh = NULL; + fprintf(stderr, "failed to release authenticator\n"); + } + return rc; /* indicate success */ +} +#endif /* HAVE_PAM */ /* Return a hosting username if password matches, else NULL. */ static char * @@ -5639,6 +5705,26 @@ check_password (username, password, repo error_exit (); } + +#ifdef HAVE_PAM + rc = check_pam_password (username, password, repository, + &host_user); + if (rc == 2) + { + syslog (LOG_NOTICE, + "pam auth failed for %s", username); + return NULL; + } + + /* else */ + + if (rc == 1) + { + /* host_user already set by reference, so just return. */ + goto handle_return; + } +#else /* HAVE_PAM */ + /* No cvs password found, so try /etc/passwd. */ #ifdef HAVE_GETSPNAM @@ -5714,6 +5800,7 @@ error 0 %s: no such user\n", username); syslog (LOG_AUTHPRIV | LOG_NOTICE, "login refused for %s: user has no password", username); #endif +#endif /* HAVE_PAM */ handle_return: if (host_user) Index: gnu/usr.bin/cvs/cvs/Makefile =================================================================== RCS file: /home/ncvs/src/gnu/usr.bin/cvs/cvs/Makefile,v retrieving revision 1.48 diff -u -p -r1.48 Makefile --- gnu/usr.bin/cvs/cvs/Makefile 6 Aug 2004 07:27:03 -0000 1.48 +++ gnu/usr.bin/cvs/cvs/Makefile 5 Jan 2005 18:25:50 -0000 @@ -31,7 +31,7 @@ CFLAGS+= -I${.CURDIR} -I../lib -DHAVE_CO -I${CVSDIR}/lib -I${CVSDIR}/diff -I. DPADD= ${LIBCVS} ${LIBDIFF} ${LIBGNUREGEX} ${LIBMD} ${LIBCRYPT} ${LIBZ} -LDADD= ${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz +LDADD= ${LIBCVS} ${LIBDIFF} -lgnuregex -lmd -lcrypt -lz -lpam .if !defined(NO_KERBEROS) && !defined(NO_OPENSSL) && !defined(NOCRYPT) CFLAGS+= -DHAVE_GSSAPI -DHAVE_GSSAPI_H -DENCRYPTION >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501121815.j0CIFLdk048734>