misc/76678: Allow pam_krb5 to authenticate no local users for other
services.
David Duchscher
daved at tamu.edu
Tue Jan 25 12:00:46 PST 2005
>Number: 76678
>Category: misc
>Synopsis: Allow pam_krb5 to authenticate no local users for other services.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 25 20:00:45 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: David Duchscher
>Release: FreeBSD 5.3-RELEASE-p4 i386
>Organization:
Texas A&M University
>Environment:
System: FreeBSD jabber.net.tamu.edu 5.3-RELEASE-p4 FreeBSD 5.3-RELEASE-p4 #0: Fri Jan 7 15:28:40 UTC 2005 root at jabber.net.tamu.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Many services (web, jabber, etc) have the ability to
authenticate via pam. The pam_krb5 module will only allow
authentication if a user is in the local password file.
It would be nice if the pam_krb5 module had the ability to
turn this requirment off.
For your consideration, I have included a patch that allows
the local user requirement to be removed so other services
that have no need for a local account can use the pam_krb5
module.
>How-To-Repeat:
>Fix:
--- pam_krb5.c.orig Tue Feb 10 10:13:20 2004
+++ pam_krb5.c Sun Jan 9 23:58:36 2005
@@ -89,6 +89,7 @@
#define PAM_OPT_FORWARDABLE "forwardable"
#define PAM_OPT_NO_CCACHE "no_ccache"
#define PAM_OPT_REUSE_CCACHE "reuse_ccache"
+#define PAM_OPT_NO_USER_CHECK "no_user_check"
/*
* authentication management
@@ -213,11 +214,13 @@
PAM_LOG("PAM_USER Redone");
}
- pwd = getpwnam(user);
- if (pwd == NULL) {
- retval = PAM_USER_UNKNOWN;
- goto cleanup2;
- }
+ if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
+ pwd = getpwnam(user);
+ if (pwd == NULL) {
+ retval = PAM_USER_UNKNOWN;
+ goto cleanup2;
+ }
+ }
PAM_LOG("Done getpwnam()");
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list