diff options
author | mm <mm@FreeBSD.org> | 2010-05-17 14:27:40 +0000 |
---|---|---|
committer | mm <mm@FreeBSD.org> | 2010-05-17 14:27:40 +0000 |
commit | e058c73bc5fcf603d4ea8f776c416ac1b7b0bf13 (patch) | |
tree | c109eda5421b90c2aa2c0d0ac320180005aee020 /lib | |
parent | 3daf73cdcd062d14dc7d1cffe4e78790031572b2 (diff) | |
download | FreeBSD-src-e058c73bc5fcf603d4ea8f776c416ac1b7b0bf13.zip FreeBSD-src-e058c73bc5fcf603d4ea8f776c416ac1b7b0bf13.tar.gz |
MFC r207553, r207555, r207651:
Implement the no_user_check option to pam_krb5.
This option is available in the Linux implementation of pam_krb5
and allows to authorize a user not known to the local system.
Ccache is not used as we don't have a secure uid/gid for the cache file.
Usable for authentication of external kerberos users (e.g Active Directory)
via PAM from applications like Cyrus saslauthd, PHP or perl.
PR: bin/146186
Approved by: deplhij (mentor)
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libpam/modules/pam_krb5/pam_krb5.8 | 6 | ||||
-rw-r--r-- | lib/libpam/modules/pam_krb5/pam_krb5.c | 53 |
2 files changed, 35 insertions, 24 deletions
diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.8 b/lib/libpam/modules/pam_krb5/pam_krb5.8 index 3e0db91..bd7ac5b 100644 --- a/lib/libpam/modules/pam_krb5/pam_krb5.8 +++ b/lib/libpam/modules/pam_krb5/pam_krb5.8 @@ -1,7 +1,7 @@ .\" .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $ .\" $FreeBSD$ -.Dd January 15, 1999 +.Dd May 3, 2010 .Dt PAM_KRB5 8 .Os .Sh NAME @@ -108,6 +108,10 @@ and .Ql %p , to designate the current process ID; can be used in .Ar name . +.It Cm no_user_check +Do not verify if a user exists on the local system. This option implies the +.Cm no_ccache +option because there is no secure local uid/gid for the cache file. .El .Ss Kerberos 5 Account Management Module The Kerberos 5 account management component diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pam_krb5/pam_krb5.c index b56e0a3..439fcf9 100644 --- a/lib/libpam/modules/pam_krb5/pam_krb5.c +++ b/lib/libpam/modules/pam_krb5/pam_krb5.c @@ -89,6 +89,7 @@ static void compat_free_data_contents(krb5_context, krb5_data *); #define PAM_OPT_DEBUG "debug" #define PAM_OPT_FORWARDABLE "forwardable" #define PAM_OPT_NO_CCACHE "no_ccache" +#define PAM_OPT_NO_USER_CHECK "no_user_check" #define PAM_OPT_REUSE_CCACHE "reuse_ccache" /* @@ -194,34 +195,39 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Got password"); - /* Verify the local user exists (AFTER getting the password) */ - if (strchr(user, '@')) { - /* get a local account name for this principal */ - krbret = krb5_aname_to_localname(pam_context, princ, - sizeof(luser), luser); - if (krbret != 0) { - PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG("Error krb5_aname_to_localname(): %s", - krb5_get_err_text(pam_context, krbret)); - retval = PAM_USER_UNKNOWN; - goto cleanup2; + if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) + PAM_LOG("Skipping local user check"); + else { + + /* Verify the local user exists (AFTER getting the password) */ + if (strchr(user, '@')) { + /* get a local account name for this principal */ + krbret = krb5_aname_to_localname(pam_context, princ, + sizeof(luser), luser); + if (krbret != 0) { + PAM_VERBOSE_ERROR("Kerberos 5 error"); + PAM_LOG("Error krb5_aname_to_localname(): %s", + krb5_get_err_text(pam_context, krbret)); + retval = PAM_USER_UNKNOWN; + goto cleanup2; + } + + retval = pam_set_item(pamh, PAM_USER, luser); + if (retval != PAM_SUCCESS) + goto cleanup2; + + PAM_LOG("PAM_USER Redone"); } - retval = pam_set_item(pamh, PAM_USER, luser); - if (retval != PAM_SUCCESS) + pwd = getpwnam(user); + if (pwd == NULL) { + retval = PAM_USER_UNKNOWN; goto cleanup2; + } - PAM_LOG("PAM_USER Redone"); - } - - pwd = getpwnam(user); - if (pwd == NULL) { - retval = PAM_USER_UNKNOWN; - goto cleanup2; + PAM_LOG("Done getpwnam()"); } - PAM_LOG("Done getpwnam()"); - /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); krbret = krb5_get_init_creds_password(pam_context, &creds, princ, @@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, return (PAM_SERVICE_ERR); /* If a persistent cache isn't desired, stop now. */ - if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE)) + if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) || + openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) return (PAM_SUCCESS); PAM_LOG("Establishing credentials"); |