MFC r207553, r207555, r207651:

Implement the no_user_check option to pam_krb5.

This option is available in the Linux implementation of pam_krb5
and allows to authorize a user not known to the local system.

Ccache is not used as we don't have a secure uid/gid for the cache file.

Usable for authentication of external kerberos users (e.g Active Directory)
via PAM from applications like Cyrus saslauthd, PHP or perl.

PR:		bin/146186
Approved by:	deplhij (mentor)

2 files changed, 35 insertions, 24 deletions

diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.8 b/lib/libpam/modules/pam_krb5/pam_krb5.8
index 3e0db91..bd7ac5b 100644
--- a/lib/libpam/modules/pam_krb5/pam_krb5.8
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.8
@@ -1,7 +1,7 @@
 .\"
 .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $
 .\" $FreeBSD$
-.Dd January 15, 1999
+.Dd May 3, 2010
 .Dt PAM_KRB5 8
 .Os
 .Sh NAME
@@ -108,6 +108,10 @@ and
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option because there is no secure local uid/gid for the cache file.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component
diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pam_krb5/pam_krb5.c
index b56e0a3..439fcf9 100644
--- a/lib/libpam/modules/pam_krb5/pam_krb5.c
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.c
@@ -89,6 +89,7 @@ static void	compat_free_data_contents(krb5_context, krb5_data *);
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
+#define PAM_OPT_NO_USER_CHECK	"no_user_check"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
 
 /*
@@ -194,34 +195,39 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 
 	PAM_LOG("Got password");
 
-	/* Verify the local user exists (AFTER getting the password) */
-	if (strchr(user, '@')) {
-		/* get a local account name for this principal */
-		krbret = krb5_aname_to_localname(pam_context, princ,
-		    sizeof(luser), luser);
-		if (krbret != 0) {
-			PAM_VERBOSE_ERROR("Kerberos 5 error");
-			PAM_LOG("Error krb5_aname_to_localname(): %s",
-			    krb5_get_err_text(pam_context, krbret));
-			retval = PAM_USER_UNKNOWN;
-			goto cleanup2;
+	if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
+		PAM_LOG("Skipping local user check");
+	else {
+
+		/* Verify the local user exists (AFTER getting the password) */
+		if (strchr(user, '@')) {
+			/* get a local account name for this principal */
+			krbret = krb5_aname_to_localname(pam_context, princ,
+			    sizeof(luser), luser);
+			if (krbret != 0) {
+				PAM_VERBOSE_ERROR("Kerberos 5 error");
+				PAM_LOG("Error krb5_aname_to_localname(): %s",
+				    krb5_get_err_text(pam_context, krbret));
+				retval = PAM_USER_UNKNOWN;
+				goto cleanup2;
+			}
+
+			retval = pam_set_item(pamh, PAM_USER, luser);
+			if (retval != PAM_SUCCESS)
+				goto cleanup2;
+
+			PAM_LOG("PAM_USER Redone");
 		}
 
-		retval = pam_set_item(pamh, PAM_USER, luser);
-		if (retval != PAM_SUCCESS)
+		pwd = getpwnam(user);
+		if (pwd == NULL) {
+			retval = PAM_USER_UNKNOWN;
 			goto cleanup2;
+		}
 
-		PAM_LOG("PAM_USER Redone");
-	}
-
-	pwd = getpwnam(user);
-	if (pwd == NULL) {
-		retval = PAM_USER_UNKNOWN;
-		goto cleanup2;
+		PAM_LOG("Done getpwnam()");
 	}
 
-	PAM_LOG("Done getpwnam()");
-
 	/* Get a TGT */
 	memset(&creds, 0, sizeof(krb5_creds));
 	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
@@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
 		return (PAM_SERVICE_ERR);
 
 	/* If a persistent cache isn't desired, stop now. */
-	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+		openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
 		return (PAM_SUCCESS);
 
 	PAM_LOG("Establishing credentials");