Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 May 2010 07:40:13 GMT
From:      dfilter@FreeBSD.ORG (dfilter service)
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: bin/146186: commit references a PR
Message-ID:  <201005030740.o437eDhC048862@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/146186; it has been noted by GNATS.

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/146186: commit references a PR
Date: Mon,  3 May 2010 07:32:43 +0000 (UTC)

 Author: mm
 Date: Mon May  3 07:32:24 2010
 New Revision: 207553
 URL: http://svn.freebsd.org/changeset/base/207553
 
 Log:
   Implement the no_user_check option to pam_krb5.
   
   This option is available in the Linux implementation of pam_krb5
   and allows to authorize a user not known to the local system.
   
   Ccache is not used as we don't have a secure uid/gid for the cache file.
   
   Usable for authentication of external kerberos users (e.g Active Directory)
   via PAM from applications like Cyrus saslauthd, PHP or perl.
   
   PR:		bin/146186
   Submitted by:	myself
   Approved by:	deplhij (mentor)
   MFC after:	2 weeks
 
 Modified:
   head/lib/libpam/modules/pam_krb5/pam_krb5.8
   head/lib/libpam/modules/pam_krb5/pam_krb5.c
 
 Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.8
 ==============================================================================
 --- head/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May  3 07:08:16 2010	(r207552)
 +++ head/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May  3 07:32:24 2010	(r207553)
 @@ -108,6 +108,10 @@ and
  .Ql %p ,
  to designate the current process ID; can be used in
  .Ar name .
 +.It Cm no_user_check
 +Do not verify if a user exists on the local system. This option implies the
 +.Cm no_ccache
 +option because there is no secure local uid/gid for the cache file.
  .El
  .Ss Kerberos 5 Account Management Module
  The Kerberos 5 account management component
 
 Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c
 ==============================================================================
 --- head/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May  3 07:08:16 2010	(r207552)
 +++ head/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May  3 07:32:24 2010	(r207553)
 @@ -89,6 +89,7 @@ static void	compat_free_data_contents(kr
  #define PAM_OPT_DEBUG		"debug"
  #define PAM_OPT_FORWARDABLE	"forwardable"
  #define PAM_OPT_NO_CCACHE	"no_ccache"
 +#define PAM_OPT_NO_USER_CHECK	"no_user_check"
  #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
  
  /*
 @@ -194,6 +195,10 @@ pam_sm_authenticate(pam_handle_t *pamh, 
  
  	PAM_LOG("Got password");
  
 +	if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
 +		PAM_LOG("Skipping local user check");
 +	else {
 +
  	/* Verify the local user exists (AFTER getting the password) */
  	if (strchr(user, '@')) {
  		/* get a local account name for this principal */
 @@ -221,6 +226,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
  	}
  
  	PAM_LOG("Done getpwnam()");
 +	}
  
  	/* Get a TGT */
  	memset(&creds, 0, sizeof(krb5_creds));
 @@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
  		return (PAM_SERVICE_ERR);
  
  	/* If a persistent cache isn't desired, stop now. */
 -	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
 +	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
 +		openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
  		return (PAM_SUCCESS);
  
  	PAM_LOG("Establishing credentials");
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201005030740.o437eDhC048862>