From owner-freebsd-bugs@FreeBSD.ORG Mon May 3 07:40:14 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 447721065675 for ; Mon, 3 May 2010 07:40:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 089438FC0C for ; Mon, 3 May 2010 07:40:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o437eDXn048865 for ; Mon, 3 May 2010 07:40:13 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o437eDhC048862; Mon, 3 May 2010 07:40:13 GMT (envelope-from gnats) Date: Mon, 3 May 2010 07:40:13 GMT Message-Id: <201005030740.o437eDhC048862@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: bin/146186: commit references a PR X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 May 2010 07:40:14 -0000 The following reply was made to PR bin/146186; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/146186: commit references a PR Date: Mon, 3 May 2010 07:32:43 +0000 (UTC) Author: mm Date: Mon May 3 07:32:24 2010 New Revision: 207553 URL: http://svn.freebsd.org/changeset/base/207553 Log: Implement the no_user_check option to pam_krb5. This option is available in the Linux implementation of pam_krb5 and allows to authorize a user not known to the local system. Ccache is not used as we don't have a secure uid/gid for the cache file. Usable for authentication of external kerberos users (e.g Active Directory) via PAM from applications like Cyrus saslauthd, PHP or perl. PR: bin/146186 Submitted by: myself Approved by: deplhij (mentor) MFC after: 2 weeks Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.8 head/lib/libpam/modules/pam_krb5/pam_krb5.c Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.8 ============================================================================== --- head/lib/libpam/modules/pam_krb5/pam_krb5.8 Mon May 3 07:08:16 2010 (r207552) +++ head/lib/libpam/modules/pam_krb5/pam_krb5.8 Mon May 3 07:32:24 2010 (r207553) @@ -108,6 +108,10 @@ and .Ql %p , to designate the current process ID; can be used in .Ar name . +.It Cm no_user_check +Do not verify if a user exists on the local system. This option implies the +.Cm no_ccache +option because there is no secure local uid/gid for the cache file. .El .Ss Kerberos 5 Account Management Module The Kerberos 5 account management component Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c ============================================================================== --- head/lib/libpam/modules/pam_krb5/pam_krb5.c Mon May 3 07:08:16 2010 (r207552) +++ head/lib/libpam/modules/pam_krb5/pam_krb5.c Mon May 3 07:32:24 2010 (r207553) @@ -89,6 +89,7 @@ static void compat_free_data_contents(kr #define PAM_OPT_DEBUG "debug" #define PAM_OPT_FORWARDABLE "forwardable" #define PAM_OPT_NO_CCACHE "no_ccache" +#define PAM_OPT_NO_USER_CHECK "no_user_check" #define PAM_OPT_REUSE_CCACHE "reuse_ccache" /* @@ -194,6 +195,10 @@ pam_sm_authenticate(pam_handle_t *pamh, PAM_LOG("Got password"); + if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) + PAM_LOG("Skipping local user check"); + else { + /* Verify the local user exists (AFTER getting the password) */ if (strchr(user, '@')) { /* get a local account name for this principal */ @@ -221,6 +226,7 @@ pam_sm_authenticate(pam_handle_t *pamh, } PAM_LOG("Done getpwnam()"); + } /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); @@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f return (PAM_SERVICE_ERR); /* If a persistent cache isn't desired, stop now. */ - if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE)) + if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) || + openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) return (PAM_SUCCESS); PAM_LOG("Establishing credentials"); _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"