bin/146186: [PATCH] implement no_user_check option for pam_krb5.so

Martin Matuska mm at FreeBSD.org
Fri Apr 30 13:10:01 UTC 2010


>Number:         146186
>Category:       bin
>Synopsis:       [PATCH] implement no_user_check option for pam_krb5.so
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 30 13:10:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Martin Matuska
>Release:        FreeBSD 8.0-STABLE amd64
>Organization:
>Environment:
System: FreeBSD neo.vx.sk 8.0-STABLE FreeBSD 8.0-STABLE #15 r207431M: Fri Apr 30 12:33:12 CEST 2010 root at neo.vx.sk:/usr/obj/stable/sys/NEO amd64
>Description:
Implement the no_user_check option to pam_krb5
- this option allows to authorize a user not known to the local system (like in port security/pam_krb5)
- ccache is not used as we do not have a local uid/gid for the files
- usable for authentication of external kerberos users via PAM, e.g. from PHP or perl

>How-To-Repeat:
>Fix:
Index: head/lib/libpam/modules/pam_krb5/pam_krb5.c
===================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.c	(revision 207433)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.c	(working copy)
@@ -89,6 +89,7 @@
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
+#define PAM_OPT_NO_USER_CHECK	"no_user_check"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
 
 /*
@@ -194,34 +195,37 @@
 
 	PAM_LOG("Got password");
 
-	/* Verify the local user exists (AFTER getting the password) */
-	if (strchr(user, '@')) {
-		/* get a local account name for this principal */
-		krbret = krb5_aname_to_localname(pam_context, princ,
-		    sizeof(luser), luser);
-		if (krbret != 0) {
-			PAM_VERBOSE_ERROR("Kerberos 5 error");
-			PAM_LOG("Error krb5_aname_to_localname(): %s",
-			    krb5_get_err_text(pam_context, krbret));
-			retval = PAM_USER_UNKNOWN;
+	if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
+		/* Verify the local user exists (AFTER getting the password) */
+		if (strchr(user, '@')) {
+			/* get a local account name for this principal */
+			krbret = krb5_aname_to_localname(pam_context, princ,
+			    sizeof(luser), luser);
+			if (krbret != 0) {
+				PAM_VERBOSE_ERROR("Kerberos 5 error");
+				PAM_LOG("Error krb5_aname_to_localname(): %s",
+				    krb5_get_err_text(pam_context, krbret));
+				retval = PAM_USER_UNKNOWN;
+				goto cleanup2;
+			}
+
+			retval = pam_set_item(pamh, PAM_USER, luser);
+			if (retval != PAM_SUCCESS)
 			goto cleanup2;
+
+			PAM_LOG("PAM_USER Redone");
 		}
 
-		retval = pam_set_item(pamh, PAM_USER, luser);
-		if (retval != PAM_SUCCESS)
+		pwd = getpwnam(user);
+		if (pwd == NULL) {
+			retval = PAM_USER_UNKNOWN;
 			goto cleanup2;
+		}
 
-		PAM_LOG("PAM_USER Redone");
-	}
+		PAM_LOG("Done getpwnam()");
+	} else
+		PAM_LOG("Skipping local user check");
 
-	pwd = getpwnam(user);
-	if (pwd == NULL) {
-		retval = PAM_USER_UNKNOWN;
-		goto cleanup2;
-	}
-
-	PAM_LOG("Done getpwnam()");
-
 	/* Get a TGT */
 	memset(&creds, 0, sizeof(krb5_creds));
 	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
@@ -366,7 +370,8 @@
 		return (PAM_SERVICE_ERR);
 
 	/* If a persistent cache isn't desired, stop now. */
-	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+		openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
 		return (PAM_SUCCESS);
 
 	PAM_LOG("Establishing credentials");
Index: head/lib/libpam/modules/pam_krb5/pam_krb5.8
===================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.8	(revision 207433)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.8	(working copy)
@@ -108,6 +108,10 @@
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component
>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list