Date: Sat, 22 Mar 2014 14:50:01 GMT From: Lukas Slebodnik <lukas.slebodnik@intrak.sk> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/186545: [PATCH] security/sssd: add ignore_unknown_user option to pam_sss Message-ID: <201403221450.s2MEo1e6037083@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/186545; it has been noted by GNATS. From: Lukas Slebodnik <lukas.slebodnik@intrak.sk> To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/186545: [PATCH] security/sssd: add ignore_unknown_user option to pam_sss Date: Sat, 22 Mar 2014 15:46:02 +0100 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Feb 08, 2014 at 12:39:08PM +0100, Lukas Slebodnik wrote: > You are right. It is not possible to obtain the same behaviour like on linux. > Openpam does not recognise following syntax. > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > This is the same problem like another PR > http://www.freebsd.org/cgi/query-pr.cgi?pr=184464. > > I communicated with reporter privately and I have a prepared patch. It will be > part of work on including openpam into sssd, because sssd is heavily patched > on FreeBSD. > > BTW your patch solves the main issue, but there are another corner cases you did > not identified. > > Thank you very much for report. I will wait until accepting solution by > upstream. Patch was accepted in upstream with small changes a week ago. Attached is patch for ports. LS --W/nzBZO5zC0uMSeA Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0001-PAM-add-ignore_unknown_user-option.patch" From 163991b8a12d2e96b98258eefcfde12a7b581a19 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lslebodn@redhat.com> Date: Sat, 22 Mar 2014 15:19:45 +0100 Subject: [PATCH] PAM: add ignore_unknown_user option --- files/patch-src__man__pam_sss.8.xml | 43 +++++++++++++++++++++++++++ files/patch-src__sss_client__pam_sss.c | 53 +++++++++++++++++++++++++++++----- 2 files changed, 89 insertions(+), 7 deletions(-) create mode 100644 files/patch-src__man__pam_sss.8.xml diff --git a/files/patch-src__man__pam_sss.8.xml b/files/patch-src__man__pam_sss.8.xml new file mode 100644 index 0000000000000000000000000000000000000000..9e59aa0200754b3b1d40a6f920f5e0a1fd59425f --- /dev/null +++ b/files/patch-src__man__pam_sss.8.xml @@ -0,0 +1,43 @@ +From 1a7794d0e3c9fa47f7b0256518186ce214e93504 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik <lslebodn@redhat.com> +Date: Sat, 22 Mar 2014 15:09:34 +0100 +Subject: [PATCH 1/2] patch-src__man__pam_sss.8.xml + +--- + src/man/pam_sss.8.xml | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git src/man/pam_sss.8.xml src/man/pam_sss.8.xml +index 72b497ab34a520d21964824080c7f276b26706f4..5b4e456e2b0b7469a233d7bd98d296bec2d8e739 100644 +--- src/man/pam_sss.8.xml ++++ src/man/pam_sss.8.xml +@@ -37,6 +37,9 @@ + <arg choice='opt'> + <replaceable>retry=N</replaceable> + </arg> ++ <arg choice='opt'> ++ <replaceable>ignore_unknown_user</replaceable> ++ </arg> + </cmdsynopsis> + </refsynopsisdiv> + +@@ -103,6 +106,16 @@ + <option>PasswordAuthentication</option>.</para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term> ++ <option>ignore_unknown_user</option> ++ </term> ++ <listitem> ++ <para>If this option is specified and the user does not ++ exist, the PAM module will return PAM_IGNORE. This causes ++ the PAM framework to ignore this module.</para> ++ </listitem> ++ </varlistentry> + </variablelist> + </refsect1> + +-- +1.8.5.3 + diff --git a/files/patch-src__sss_client__pam_sss.c b/files/patch-src__sss_client__pam_sss.c index 45370623ca745c5bc0c48438083c8c32851e6da9..a1bf2821429d47ae775e54147790f51e5dc2a4c7 100644 --- a/files/patch-src__sss_client__pam_sss.c +++ b/files/patch-src__sss_client__pam_sss.c @@ -1,17 +1,25 @@ -From 86816db5982df0c1b0c5f5722e23111c62ff362e Mon Sep 17 00:00:00 2001 +From 68fcd5f830b6451de5fd9d697fa6602dc3ca9972 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lukas.slebodnik@intrak.sk> Date: Sat, 27 Jul 2013 15:02:31 +0200 -Subject: [PATCH 31/34] patch-src__sss_client__pam_sss.c +Subject: [PATCH 2/2] patch-src__sss_client__pam_sss.c --- - src/sss_client/pam_sss.c | 2 ++ - 1 file changed, 2 insertions(+) + src/sss_client/pam_sss.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c -index 3734c8f..7110d38 100644 +index 5fd276ccba15da1f689b1939a02288dda7a09d89..4cb976cf28eba5c14168a91eb23fe4101d2268f3 100644 --- src/sss_client/pam_sss.c +++ src/sss_client/pam_sss.c -@@ -125,10 +125,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err) +@@ -52,6 +52,7 @@ + #define FLAGS_USE_FIRST_PASS (1 << 0) + #define FLAGS_FORWARD_PASS (1 << 1) + #define FLAGS_USE_AUTHTOK (1 << 2) ++#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) + + #define PWEXP_FLAG "pam_sss:password_expired_flag" + #define FD_DESTRUCTOR "pam_sss:fd_destructor" +@@ -125,10 +126,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err) static void close_fd(pam_handle_t *pamh, void *ptr, int err) { @@ -24,6 +32,37 @@ index 3734c8f..7110d38 100644 D(("Closing the fd")); sss_pam_close_fd(); +@@ -1292,6 +1295,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, + } + } else if (strcmp(*argv, "quiet") == 0) { + *quiet_mode = true; ++ } else if (strcmp(*argv, "ignore_unknown_user") == 0) { ++ *flags |= FLAGS_IGNORE_UNKNOWN_USER; + } else { + logger(pamh, LOG_WARNING, "unknown option: %s", *argv); + } +@@ -1429,6 +1434,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, + ret = get_pam_items(pamh, &pi); + if (ret != PAM_SUCCESS) { + D(("get items returned error: %s", pam_strerror(pamh,ret))); ++ if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { ++ ret = PAM_IGNORE; ++ } + return ret; + } + +@@ -1467,6 +1475,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, + + pam_status = send_and_receive(pamh, &pi, task, quiet_mode); + ++ if (flags & FLAGS_IGNORE_UNKNOWN_USER ++ && pam_status == PAM_USER_UNKNOWN) { ++ pam_status = PAM_IGNORE; ++ } ++ + switch (task) { + case SSS_PAM_AUTHENTICATE: + /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during -- -1.8.0 +1.8.5.3 -- 1.8.5.3 --W/nzBZO5zC0uMSeA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403221450.s2MEo1e6037083>