bin/103732: When using tac_plus and pam_krb5, one does not always want pam_krb5 to verify that a local account exists.

ryan zi at zi0r.com
Wed Sep 27 19:50:32 PDT 2006 

>Number:         103732
>Category:       bin
>Synopsis:       When using tac_plus and pam_krb5, one does not always want pam_krb5 to verify that a local account exists.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 28 02:50:18 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     ryan
>Release:        6.1-RELEASE-p6
>Organization:
>Environment:
FreeBSD XXX.rit.edu 6.1-RELEASE-p6 FreeBSD 6.1-RELEASE-p6 #2: Mon Sep 18 07:49:55 EDT 2006     zi at XXX.rit.edu:/usr/obj/usr/src/sys/XXX  i386
>Description:
When using tac_plus4 to authenticate against a kdc, one does not always want to have to create a local account in order for authentication to succeed.

By applying the patch below to /usr/src/lib/libpam/modules/pam_krb5/pam_krb5.c, you can then append "no_checkuser" to the end of your krb5 line in your pam config, which will cause the portion of the code that checks for a local account to be skipped.

Changes were only made to pam_sm_authenticate(), however, pam_sm_setcred() also checks to see if a local account exists by attempting to obtain the uid of the account.

I'm uncertain if this is the best way to implement a fix, however, it appears to work fine for what I am doing with tac_plus4.
>How-To-Repeat:
Install the tac_plus4 port and configure your tac_plus user accounts to use pam.

Create a /etc/pam.d/tac_plus file and add in the example pam_krb5 lines from one of the other pam files.

Attempt to authenticate against tac_plus with an account that does not exist on the local machine, however, will successfully authenticate via kinit, or the like.  Authentication will fail as the local account does not exist.
>Fix:
--- pam_krb5.c  Thu Jul  7 10:16:38 2005
+++ /tmp/pam_krb5.c     Wed Sep 27 22:21:26 2006
@@ -90,6 +90,7 @@
 #define PAM_OPT_FORWARDABLE    "forwardable"
 #define PAM_OPT_NO_CCACHE      "no_ccache"
 #define PAM_OPT_REUSE_CCACHE   "reuse_ccache"
+#define PAM_OPT_NO_USERCHECK   "no_usercheck"
 
 /*
  * authentication management
@@ -194,6 +195,9 @@
 
        PAM_LOG("Got password");
 
+       if (openpam_get_option(pamh, PAM_OPT_NO_USERCHECK)) {
+               PAM_LOG("Skipping local user checks");
+               goto no_checkuser;
+       }
+
        /* Verify the local user exists (AFTER getting the password) */
        if (strchr(user, '@')) {
                /* get a local account name for this principal */
@@ -222,6 +226,9 @@
 
        PAM_LOG("Done getpwnam()");
 
+
+no_checkuser:
+
        /* Get a TGT */
        memset(&creds, 0, sizeof(krb5_creds));
        krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list