diff options
| author | mm <mm@FreeBSD.org> | 2010-05-03 07:32:24 +0000 |
|---|---|---|
| committer | mm <mm@FreeBSD.org> | 2010-05-03 07:32:24 +0000 |
| commit | 305cdfaf86fcdb4aa91519ed8096ab361cb28970 (patch) | |
| tree | 3cebb0dcb6d2856081272025e48261c51f0f5b2c /lib/libpam/modules | |
| parent | 34bfab021b5442c5389d345f46ff6ff111e69da8 (diff) | |
| download | FreeBSD-src-305cdfaf86fcdb4aa91519ed8096ab361cb28970.zip FreeBSD-src-305cdfaf86fcdb4aa91519ed8096ab361cb28970.tar.gz | |
Implement the no_user_check option to pam_krb5.
This option is available in the Linux implementation of pam_krb5
and allows to authorize a user not known to the local system.
Ccache is not used as we don't have a secure uid/gid for the cache file.
Usable for authentication of external kerberos users (e.g Active Directory)
via PAM from applications like Cyrus saslauthd, PHP or perl.
PR: bin/146186
Submitted by: myself
Approved by: deplhij (mentor)
MFC after: 2 weeks
Diffstat (limited to 'lib/libpam/modules')
| -rw-r--r-- | lib/libpam/modules/pam_krb5/pam_krb5.8 | 4 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_krb5/pam_krb5.c | 9 |
2 files changed, 12 insertions, 1 deletions
diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.8 b/lib/libpam/modules/pam_krb5/pam_krb5.8 index 3e0db91..a182e62e 100644 --- a/lib/libpam/modules/pam_krb5/pam_krb5.8 +++ b/lib/libpam/modules/pam_krb5/pam_krb5.8 @@ -108,6 +108,10 @@ and .Ql %p , to designate the current process ID; can be used in .Ar name . +.It Cm no_user_check +Do not verify if a user exists on the local system. This option implies the +.Cm no_ccache +option because there is no secure local uid/gid for the cache file. .El .Ss Kerberos 5 Account Management Module The Kerberos 5 account management component diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pam_krb5/pam_krb5.c index b56e0a3..9623a17 100644 --- a/lib/libpam/modules/pam_krb5/pam_krb5.c +++ b/lib/libpam/modules/pam_krb5/pam_krb5.c @@ -89,6 +89,7 @@ static void compat_free_data_contents(krb5_context, krb5_data *); #define PAM_OPT_DEBUG "debug" #define PAM_OPT_FORWARDABLE "forwardable" #define PAM_OPT_NO_CCACHE "no_ccache" +#define PAM_OPT_NO_USER_CHECK "no_user_check" #define PAM_OPT_REUSE_CCACHE "reuse_ccache" /* @@ -194,6 +195,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Got password"); + if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) + PAM_LOG("Skipping local user check"); + else { + /* Verify the local user exists (AFTER getting the password) */ if (strchr(user, '@')) { /* get a local account name for this principal */ @@ -221,6 +226,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, } PAM_LOG("Done getpwnam()"); + } /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); @@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, return (PAM_SERVICE_ERR); /* If a persistent cache isn't desired, stop now. */ - if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE)) + if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) || + openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) return (PAM_SUCCESS); PAM_LOG("Establishing credentials"); |
