bin/146186: [PATCH] implement no_user_check option for pam_krb5.so
Martin Matuska
mm at FreeBSD.org
Fri Apr 30 13:10:01 UTC 2010
>Number: 146186
>Category: bin
>Synopsis: [PATCH] implement no_user_check option for pam_krb5.so
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Apr 30 13:10:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Martin Matuska
>Release: FreeBSD 8.0-STABLE amd64
>Organization:
>Environment:
System: FreeBSD neo.vx.sk 8.0-STABLE FreeBSD 8.0-STABLE #15 r207431M: Fri Apr 30 12:33:12 CEST 2010 root at neo.vx.sk:/usr/obj/stable/sys/NEO amd64
>Description:
Implement the no_user_check option to pam_krb5
- this option allows to authorize a user not known to the local system (like in port security/pam_krb5)
- ccache is not used as we do not have a local uid/gid for the files
- usable for authentication of external kerberos users via PAM, e.g. from PHP or perl
>How-To-Repeat:
>Fix:
Index: head/lib/libpam/modules/pam_krb5/pam_krb5.c
===================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.c (revision 207433)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.c (working copy)
@@ -89,6 +89,7 @@
#define PAM_OPT_DEBUG "debug"
#define PAM_OPT_FORWARDABLE "forwardable"
#define PAM_OPT_NO_CCACHE "no_ccache"
+#define PAM_OPT_NO_USER_CHECK "no_user_check"
#define PAM_OPT_REUSE_CCACHE "reuse_ccache"
/*
@@ -194,34 +195,37 @@
PAM_LOG("Got password");
- /* Verify the local user exists (AFTER getting the password) */
- if (strchr(user, '@')) {
- /* get a local account name for this principal */
- krbret = krb5_aname_to_localname(pam_context, princ,
- sizeof(luser), luser);
- if (krbret != 0) {
- PAM_VERBOSE_ERROR("Kerberos 5 error");
- PAM_LOG("Error krb5_aname_to_localname(): %s",
- krb5_get_err_text(pam_context, krbret));
- retval = PAM_USER_UNKNOWN;
+ if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
+ /* Verify the local user exists (AFTER getting the password) */
+ if (strchr(user, '@')) {
+ /* get a local account name for this principal */
+ krbret = krb5_aname_to_localname(pam_context, princ,
+ sizeof(luser), luser);
+ if (krbret != 0) {
+ PAM_VERBOSE_ERROR("Kerberos 5 error");
+ PAM_LOG("Error krb5_aname_to_localname(): %s",
+ krb5_get_err_text(pam_context, krbret));
+ retval = PAM_USER_UNKNOWN;
+ goto cleanup2;
+ }
+
+ retval = pam_set_item(pamh, PAM_USER, luser);
+ if (retval != PAM_SUCCESS)
goto cleanup2;
+
+ PAM_LOG("PAM_USER Redone");
}
- retval = pam_set_item(pamh, PAM_USER, luser);
- if (retval != PAM_SUCCESS)
+ pwd = getpwnam(user);
+ if (pwd == NULL) {
+ retval = PAM_USER_UNKNOWN;
goto cleanup2;
+ }
- PAM_LOG("PAM_USER Redone");
- }
+ PAM_LOG("Done getpwnam()");
+ } else
+ PAM_LOG("Skipping local user check");
- pwd = getpwnam(user);
- if (pwd == NULL) {
- retval = PAM_USER_UNKNOWN;
- goto cleanup2;
- }
-
- PAM_LOG("Done getpwnam()");
-
/* Get a TGT */
memset(&creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
@@ -366,7 +370,8 @@
return (PAM_SERVICE_ERR);
/* If a persistent cache isn't desired, stop now. */
- if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+ if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+ openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
return (PAM_SUCCESS);
PAM_LOG("Establishing credentials");
Index: head/lib/libpam/modules/pam_krb5/pam_krb5.8
===================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.8 (revision 207433)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.8 (working copy)
@@ -108,6 +108,10 @@
.Ql %p ,
to designate the current process ID; can be used in
.Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option.
.El
.Ss Kerberos 5 Account Management Module
The Kerberos 5 account management component
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list