svn commit: r207553 - head/lib/libpam/modules/pam_krb5
Martin Matuska
mm at FreeBSD.org
Mon May 3 07:32:24 UTC 2010
Author: mm
Date: Mon May 3 07:32:24 2010
New Revision: 207553
URL: http://svn.freebsd.org/changeset/base/207553
Log:
Implement the no_user_check option to pam_krb5.
This option is available in the Linux implementation of pam_krb5
and allows to authorize a user not known to the local system.
Ccache is not used as we don't have a secure uid/gid for the cache file.
Usable for authentication of external kerberos users (e.g Active Directory)
via PAM from applications like Cyrus saslauthd, PHP or perl.
PR: bin/146186
Submitted by: myself
Approved by: deplhij (mentor)
MFC after: 2 weeks
Modified:
head/lib/libpam/modules/pam_krb5/pam_krb5.8
head/lib/libpam/modules/pam_krb5/pam_krb5.c
Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.8
==============================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.8 Mon May 3 07:08:16 2010 (r207552)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.8 Mon May 3 07:32:24 2010 (r207553)
@@ -108,6 +108,10 @@ and
.Ql %p ,
to designate the current process ID; can be used in
.Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option because there is no secure local uid/gid for the cache file.
.El
.Ss Kerberos 5 Account Management Module
The Kerberos 5 account management component
Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c
==============================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.c Mon May 3 07:08:16 2010 (r207552)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.c Mon May 3 07:32:24 2010 (r207553)
@@ -89,6 +89,7 @@ static void compat_free_data_contents(kr
#define PAM_OPT_DEBUG "debug"
#define PAM_OPT_FORWARDABLE "forwardable"
#define PAM_OPT_NO_CCACHE "no_ccache"
+#define PAM_OPT_NO_USER_CHECK "no_user_check"
#define PAM_OPT_REUSE_CCACHE "reuse_ccache"
/*
@@ -194,6 +195,10 @@ pam_sm_authenticate(pam_handle_t *pamh,
PAM_LOG("Got password");
+ if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
+ PAM_LOG("Skipping local user check");
+ else {
+
/* Verify the local user exists (AFTER getting the password) */
if (strchr(user, '@')) {
/* get a local account name for this principal */
@@ -221,6 +226,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
}
PAM_LOG("Done getpwnam()");
+ }
/* Get a TGT */
memset(&creds, 0, sizeof(krb5_creds));
@@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
return (PAM_SERVICE_ERR);
/* If a persistent cache isn't desired, stop now. */
- if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+ if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+ openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
return (PAM_SUCCESS);
PAM_LOG("Establishing credentials");
More information about the svn-src-head
mailing list