From owner-freebsd-bugs@FreeBSD.ORG  Tue Jan 25 20:00:46 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 375DA16A4D6
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 25 Jan 2005 20:00:46 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E2B4C43D58
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 25 Jan 2005 20:00:45 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0PK0jb5002896
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 25 Jan 2005 20:00:45 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0PK0jDv002895;
	Tue, 25 Jan 2005 20:00:45 GMT
	(envelope-from gnats)
Resent-Date: Tue, 25 Jan 2005 20:00:45 GMT
Resent-Message-Id: <200501252000.j0PK0jDv002895@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	David Duchscher <daved@tamu.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6742316A4ED
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 25 Jan 2005 19:57:49 +0000 (GMT)
Received: from jabber.net.tamu.edu (jabber.net.tamu.edu [165.91.22.148])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0B86743D54
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 25 Jan 2005 19:57:49 +0000 (GMT)
	(envelope-from daved@jabber.net.tamu.edu)
Received: from jabber.net.tamu.edu (localhost [127.0.0.1])
	by jabber.net.tamu.edu (8.13.1/8.13.1) with ESMTP id j0PJvk8c051311
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 25 Jan 2005 13:57:46 -0600 (CST)
	(envelope-from daved@jabber.net.tamu.edu)
Received: (from root@localhost)
	by jabber.net.tamu.edu (8.13.1/8.13.1/Submit) id j0PJvkZM051310;
	Tue, 25 Jan 2005 13:57:46 -0600 (CST)
	(envelope-from daved)
Message-Id: <200501251957.j0PJvkZM051310@jabber.net.tamu.edu>
Date: Tue, 25 Jan 2005 13:57:46 -0600 (CST)
From: David Duchscher <daved@tamu.edu>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: misc/76678: Allow pam_krb5 to authenticate no local users for other
	services.
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: David Duchscher <daved@tamu.edu>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2005 20:00:46 -0000


>Number:         76678
>Category:       misc
>Synopsis:       Allow pam_krb5 to authenticate no local users for other services.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 25 20:00:45 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     David Duchscher
>Release:        FreeBSD 5.3-RELEASE-p4 i386
>Organization:
Texas A&M University
>Environment:
System: FreeBSD jabber.net.tamu.edu 5.3-RELEASE-p4 FreeBSD 5.3-RELEASE-p4 #0: Fri Jan 7 15:28:40 UTC 2005 root@jabber.net.tamu.edu:/usr/obj/usr/src/sys/GENERIC i386


>Description:

	Many services (web, jabber, etc) have the ability to
	authenticate via pam.  The pam_krb5 module will only allow
	authentication if a user is in the local password file.
	It would be nice if the pam_krb5 module had the ability to
	turn this requirment off.

	For your consideration, I have included  a patch that allows
	the local user requirement to be removed so other services
	that have no need for a local account can use the pam_krb5
	module.

>How-To-Repeat:
	
>Fix:

--- pam_krb5.c.orig	Tue Feb 10 10:13:20 2004
+++ pam_krb5.c	Sun Jan  9 23:58:36 2005
@@ -89,6 +89,7 @@
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
+#define PAM_OPT_NO_USER_CHECK	"no_user_check"
 
 /*
  * authentication management
@@ -213,11 +214,13 @@
 		PAM_LOG("PAM_USER Redone");
 	}
 
-	pwd = getpwnam(user);
-	if (pwd == NULL) {
-		retval = PAM_USER_UNKNOWN;
-		goto cleanup2;
-	}
+	if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
+	        pwd = getpwnam(user);
+	        if (pwd == NULL) {
+		        retval = PAM_USER_UNKNOWN;
+		        goto cleanup2;
+	        }
+        }
 
 	PAM_LOG("Done getpwnam()");
 
>Release-Note:
>Audit-Trail:
>Unformatted: