Date: Fri, 30 Apr 2010 15:03:09 +0200 (CEST) From: Martin Matuska <mm@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/146186: [PATCH] implement no_user_check option for pam_krb5.so Message-ID: <20100430130309.4DAB13BE0C@mail2.vx.sk> Resent-Message-ID: <201004301310.o3UDA1Dg027826@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 146186 >Category: bin >Synopsis: [PATCH] implement no_user_check option for pam_krb5.so >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Apr 30 13:10:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Martin Matuska >Release: FreeBSD 8.0-STABLE amd64 >Organization: >Environment: System: FreeBSD neo.vx.sk 8.0-STABLE FreeBSD 8.0-STABLE #15 r207431M: Fri Apr 30 12:33:12 CEST 2010 root@neo.vx.sk:/usr/obj/stable/sys/NEO amd64 >Description: Implement the no_user_check option to pam_krb5 - this option allows to authorize a user not known to the local system (like in port security/pam_krb5) - ccache is not used as we do not have a local uid/gid for the files - usable for authentication of external kerberos users via PAM, e.g. from PHP or perl >How-To-Repeat: >Fix: Index: head/lib/libpam/modules/pam_krb5/pam_krb5.c =================================================================== --- head/lib/libpam/modules/pam_krb5/pam_krb5.c (revision 207433) +++ head/lib/libpam/modules/pam_krb5/pam_krb5.c (working copy) @@ -89,6 +89,7 @@ #define PAM_OPT_DEBUG "debug" #define PAM_OPT_FORWARDABLE "forwardable" #define PAM_OPT_NO_CCACHE "no_ccache" +#define PAM_OPT_NO_USER_CHECK "no_user_check" #define PAM_OPT_REUSE_CCACHE "reuse_ccache" /* @@ -194,34 +195,37 @@ PAM_LOG("Got password"); - /* Verify the local user exists (AFTER getting the password) */ - if (strchr(user, '@')) { - /* get a local account name for this principal */ - krbret = krb5_aname_to_localname(pam_context, princ, - sizeof(luser), luser); - if (krbret != 0) { - PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_aname_to_localname(): %s", - krb5_get_err_text(pam_context, krbret)); - retval = PAM_USER_UNKNOWN; + if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) { + /* Verify the local user exists (AFTER getting the password) */ + if (strchr(user, '@')) { + /* get a local account name for this principal */ + krbret = krb5_aname_to_localname(pam_context, princ, + sizeof(luser), luser); + if (krbret != 0) { + PAM_VERBOSE_ERROR("Kerberos 5 error"); + PAM_LOG("Error krb5_aname_to_localname(): %s", + krb5_get_err_text(pam_context, krbret)); + retval = PAM_USER_UNKNOWN; + goto cleanup2; + } + + retval = pam_set_item(pamh, PAM_USER, luser); + if (retval != PAM_SUCCESS) goto cleanup2; + + PAM_LOG("PAM_USER Redone"); } - retval = pam_set_item(pamh, PAM_USER, luser); - if (retval != PAM_SUCCESS) + pwd = getpwnam(user); + if (pwd == NULL) { + retval = PAM_USER_UNKNOWN; goto cleanup2; + } - PAM_LOG("PAM_USER Redone"); - } + PAM_LOG("Done getpwnam()"); + } else + PAM_LOG("Skipping local user check"); - pwd = getpwnam(user); - if (pwd == NULL) { - retval = PAM_USER_UNKNOWN; - goto cleanup2; - } - - PAM_LOG("Done getpwnam()"); - /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); krbret = krb5_get_init_creds_password(pam_context, &creds, princ, @@ -366,7 +370,8 @@ return (PAM_SERVICE_ERR); /* If a persistent cache isn't desired, stop now. */ - if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE)) + if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) || + openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) return (PAM_SUCCESS); PAM_LOG("Establishing credentials"); Index: head/lib/libpam/modules/pam_krb5/pam_krb5.8 =================================================================== --- head/lib/libpam/modules/pam_krb5/pam_krb5.8 (revision 207433) +++ head/lib/libpam/modules/pam_krb5/pam_krb5.8 (working copy) @@ -108,6 +108,10 @@ .Ql %p , to designate the current process ID; can be used in .Ar name . +.It Cm no_user_check +Do not verify if a user exists on the local system. This option implies the +.Cm no_ccache +option. .El .Ss Kerberos 5 Account Management Module The Kerberos 5 account management component >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100430130309.4DAB13BE0C>