svn commit: r207553 - head/lib/libpam/modules/pam_krb5

Mon May 3 07:32:24 UTC 2010

Author: mm
Date: Mon May  3 07:32:24 2010
New Revision: 207553
URL: http://svn.freebsd.org/changeset/base/207553

Log:
  Implement the no_user_check option to pam_krb5.
  
  This option is available in the Linux implementation of pam_krb5
  and allows to authorize a user not known to the local system.
  
  Ccache is not used as we don't have a secure uid/gid for the cache file.
  
  Usable for authentication of external kerberos users (e.g Active Directory)
  via PAM from applications like Cyrus saslauthd, PHP or perl.
  
  PR:		bin/146186
  Submitted by:	myself
  Approved by:	deplhij (mentor)
  MFC after:	2 weeks

Modified:
  head/lib/libpam/modules/pam_krb5/pam_krb5.8
  head/lib/libpam/modules/pam_krb5/pam_krb5.c

Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.8
==============================================================================

--- head/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May  3 07:08:16 2010	(r207552)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May  3 07:32:24 2010	(r207553)
@@ -108,6 +108,10 @@ and
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option because there is no secure local uid/gid for the cache file.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component

Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c
==============================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May  3 07:08:16 2010	(r207552)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May  3 07:32:24 2010	(r207553)
@@ -89,6 +89,7 @@ static void	compat_free_data_contents(kr
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
+#define PAM_OPT_NO_USER_CHECK	"no_user_check"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
 
 /*
@@ -194,6 +195,10 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 
 	PAM_LOG("Got password");
 
+	if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
+		PAM_LOG("Skipping local user check");
+	else {
+
 	/* Verify the local user exists (AFTER getting the password) */
 	if (strchr(user, '@')) {
 		/* get a local account name for this principal */
@@ -221,6 +226,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 	}
 
 	PAM_LOG("Done getpwnam()");
+	}
 
 	/* Get a TGT */
 	memset(&creds, 0, sizeof(krb5_creds));
@@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 		return (PAM_SERVICE_ERR);
 
 	/* If a persistent cache isn't desired, stop now. */
-	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+		openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
 		return (PAM_SUCCESS);
 
 	PAM_LOG("Establishing credentials");
