Date: Tue, 22 Aug 2006 21:40:24 +0700 (NOVST) From: Dmitry A Grigorovich <odip@bionet.nsc.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/102390: [patch] kernel pppd don't using pam Message-ID: <20060822144024.8D3CF21846@manticore.bionet.nsc.ru> Resent-Message-ID: <200608221450.k7MEoBd5079798@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 102390
>Category: kern
>Synopsis: [patch] kernel pppd don't using pam
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Tue Aug 22 14:50:10 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Dmitry A Grigorovich
>Release: FreeBSD 5.5-RELEASE-p2 i386
>Organization:
ICiG SB RAS, Russia
>Environment:
System: FreeBSD ogre.bionet.nsc.ru 5.5-RELEASE-p2 FreeBSD 5.5-RELEASE-p2
>Description:
When I try to using ldap for pppd authentication I found that
kernel pppd in FreeBSD does not using pam !
Scanning sources of pppd confirms this conclusion.
>How-To-Repeat:
Install ldap server.
Configure your computer for ldap authentication -
use pam_ldap & nss_ldap & /etc/nsswitch.conf.
Create file /etc/pam.d/ppp
#### BOF /etc/pam.d/ppp ####
# auth
auth required pam_nologin.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
session required pam_permit.so
#### EOF ####
Ldap authentication work for sshd, ftpd,
but failed for pppd !
>Fix:
Patch and rebuild pppd:
cd /usr/src
patch </path/pppd-pam.patch
cd /usr/src/usr.sbin/pppd
make obj && make depend && make && make install
make clean
Restart pppd
Now pppd work with pam !!!
--- pppd-pam.patch begins here ---
--- usr.sbin/pppd/Makefile.orig Mon Sep 19 23:11:54 2005
+++ usr.sbin/pppd/Makefile Mon Sep 19 23:22:27 2005
@@ -11,10 +11,10 @@
BINOWN= root
BINGRP= dialer
-CFLAGS+= -DHAVE_PATHS_H
+CFLAGS+= -DHAVE_PATHS_H -DUSE_PAM
DPADD= ${LIBCRYPT} ${LIBUTIL} ${LIBMD}
-LDADD= -lcrypt -lutil -lmd
+LDADD= -lcrypt -lutil -lmd -lpam
# Support SPX/IPX - not quite ready
#CFLAGS+= -DIPX_CHANGE
--- usr.sbin/pppd/auth.c.orig Sun Oct 26 12:01:06 2003
+++ usr.sbin/pppd/auth.c Mon Sep 19 23:25:18 2005
@@ -771,11 +771,7 @@
static char *PAM_username = "";
static char *PAM_password = "";
-#ifdef PAM_ESTABLISH_CRED /* new PAM defines :(^ */
#define MY_PAM_STRERROR(err_code) (char *) pam_strerror(pamh,err_code)
-#else
-#define MY_PAM_STRERROR(err_code) (char *) pam_strerror(err_code)
-#endif
static int pam_conv (int num_msg,
const struct pam_message **msg,
--- pppd-pam.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060822144024.8D3CF21846>