From owner-freebsd-bugs@FreeBSD.ORG Fri Apr 30 13:10:01 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B05291065672 for ; Fri, 30 Apr 2010 13:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 8CDEF8FC29 for ; Fri, 30 Apr 2010 13:10:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o3UDA1jT027827 for ; Fri, 30 Apr 2010 13:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o3UDA1Dg027826; Fri, 30 Apr 2010 13:10:01 GMT (envelope-from gnats) Resent-Date: Fri, 30 Apr 2010 13:10:01 GMT Resent-Message-Id: <201004301310.o3UDA1Dg027826@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Martin Matuska Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AA6AB106566C for ; Fri, 30 Apr 2010 13:03:15 +0000 (UTC) (envelope-from mm@mail2.vx.sk) Received: from mail2.vx.sk (neo.vx.sk [188.40.111.84]) by mx1.freebsd.org (Postfix) with ESMTP id 3ADEE8FC08 for ; Fri, 30 Apr 2010 13:03:14 +0000 (UTC) Received: from neo.vx.sk (localhost [127.0.0.1]) by mail2.vx.sk (Postfix) with ESMTP id 275853BE45 for ; Fri, 30 Apr 2010 15:03:14 +0200 (CEST) Received: from mail2.vx.sk ([127.0.0.1]) by neo.vx.sk (neo.vx.sk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Qg9xEev0dwfC for ; Fri, 30 Apr 2010 15:03:09 +0200 (CEST) Received: by mail2.vx.sk (Postfix, from userid 1001) id 4DAB13BE0C; Fri, 30 Apr 2010 15:03:09 +0200 (CEST) Message-Id: <20100430130309.4DAB13BE0C@mail2.vx.sk> Date: Fri, 30 Apr 2010 15:03:09 +0200 (CEST) From: Martin Matuska To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: bin/146186: [PATCH] implement no_user_check option for pam_krb5.so X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Martin Matuska List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2010 13:10:01 -0000 >Number: 146186 >Category: bin >Synopsis: [PATCH] implement no_user_check option for pam_krb5.so >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Apr 30 13:10:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Martin Matuska >Release: FreeBSD 8.0-STABLE amd64 >Organization: >Environment: System: FreeBSD neo.vx.sk 8.0-STABLE FreeBSD 8.0-STABLE #15 r207431M: Fri Apr 30 12:33:12 CEST 2010 root@neo.vx.sk:/usr/obj/stable/sys/NEO amd64 >Description: Implement the no_user_check option to pam_krb5 - this option allows to authorize a user not known to the local system (like in port security/pam_krb5) - ccache is not used as we do not have a local uid/gid for the files - usable for authentication of external kerberos users via PAM, e.g. from PHP or perl >How-To-Repeat: >Fix: Index: head/lib/libpam/modules/pam_krb5/pam_krb5.c =================================================================== --- head/lib/libpam/modules/pam_krb5/pam_krb5.c (revision 207433) +++ head/lib/libpam/modules/pam_krb5/pam_krb5.c (working copy) @@ -89,6 +89,7 @@ #define PAM_OPT_DEBUG "debug" #define PAM_OPT_FORWARDABLE "forwardable" #define PAM_OPT_NO_CCACHE "no_ccache" +#define PAM_OPT_NO_USER_CHECK "no_user_check" #define PAM_OPT_REUSE_CCACHE "reuse_ccache" /* @@ -194,34 +195,37 @@ PAM_LOG("Got password"); - /* Verify the local user exists (AFTER getting the password) */ - if (strchr(user, '@')) { - /* get a local account name for this principal */ - krbret = krb5_aname_to_localname(pam_context, princ, - sizeof(luser), luser); - if (krbret != 0) { - PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_aname_to_localname(): %s", - krb5_get_err_text(pam_context, krbret)); - retval = PAM_USER_UNKNOWN; + if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) { + /* Verify the local user exists (AFTER getting the password) */ + if (strchr(user, '@')) { + /* get a local account name for this principal */ + krbret = krb5_aname_to_localname(pam_context, princ, + sizeof(luser), luser); + if (krbret != 0) { + PAM_VERBOSE_ERROR("Kerberos 5 error"); + PAM_LOG("Error krb5_aname_to_localname(): %s", + krb5_get_err_text(pam_context, krbret)); + retval = PAM_USER_UNKNOWN; + goto cleanup2; + } + + retval = pam_set_item(pamh, PAM_USER, luser); + if (retval != PAM_SUCCESS) goto cleanup2; + + PAM_LOG("PAM_USER Redone"); } - retval = pam_set_item(pamh, PAM_USER, luser); - if (retval != PAM_SUCCESS) + pwd = getpwnam(user); + if (pwd == NULL) { + retval = PAM_USER_UNKNOWN; goto cleanup2; + } - PAM_LOG("PAM_USER Redone"); - } + PAM_LOG("Done getpwnam()"); + } else + PAM_LOG("Skipping local user check"); - pwd = getpwnam(user); - if (pwd == NULL) { - retval = PAM_USER_UNKNOWN; - goto cleanup2; - } - - PAM_LOG("Done getpwnam()"); - /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); krbret = krb5_get_init_creds_password(pam_context, &creds, princ, @@ -366,7 +370,8 @@ return (PAM_SERVICE_ERR); /* If a persistent cache isn't desired, stop now. */ - if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE)) + if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) || + openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) return (PAM_SUCCESS); PAM_LOG("Establishing credentials"); Index: head/lib/libpam/modules/pam_krb5/pam_krb5.8 =================================================================== --- head/lib/libpam/modules/pam_krb5/pam_krb5.8 (revision 207433) +++ head/lib/libpam/modules/pam_krb5/pam_krb5.8 (working copy) @@ -108,6 +108,10 @@ .Ql %p , to designate the current process ID; can be used in .Ar name . +.It Cm no_user_check +Do not verify if a user exists on the local system. This option implies the +.Cm no_ccache +option. .El .Ss Kerberos 5 Account Management Module The Kerberos 5 account management component >Release-Note: >Audit-Trail: >Unformatted: