Date: Tue, 25 Jan 2005 13:57:46 -0600 (CST) From: David Duchscher <daved@tamu.edu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: misc/76678: Allow pam_krb5 to authenticate no local users for other services. Message-ID: <200501251957.j0PJvkZM051310@jabber.net.tamu.edu> Resent-Message-ID: <200501252000.j0PK0jDv002895@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 76678
>Category: misc
>Synopsis: Allow pam_krb5 to authenticate no local users for other services.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 25 20:00:45 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: David Duchscher
>Release: FreeBSD 5.3-RELEASE-p4 i386
>Organization:
Texas A&M University
>Environment:
System: FreeBSD jabber.net.tamu.edu 5.3-RELEASE-p4 FreeBSD 5.3-RELEASE-p4 #0: Fri Jan 7 15:28:40 UTC 2005 root@jabber.net.tamu.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Many services (web, jabber, etc) have the ability to
authenticate via pam. The pam_krb5 module will only allow
authentication if a user is in the local password file.
It would be nice if the pam_krb5 module had the ability to
turn this requirment off.
For your consideration, I have included a patch that allows
the local user requirement to be removed so other services
that have no need for a local account can use the pam_krb5
module.
>How-To-Repeat:
>Fix:
--- pam_krb5.c.orig Tue Feb 10 10:13:20 2004
+++ pam_krb5.c Sun Jan 9 23:58:36 2005
@@ -89,6 +89,7 @@
#define PAM_OPT_FORWARDABLE "forwardable"
#define PAM_OPT_NO_CCACHE "no_ccache"
#define PAM_OPT_REUSE_CCACHE "reuse_ccache"
+#define PAM_OPT_NO_USER_CHECK "no_user_check"
/*
* authentication management
@@ -213,11 +214,13 @@
PAM_LOG("PAM_USER Redone");
}
- pwd = getpwnam(user);
- if (pwd == NULL) {
- retval = PAM_USER_UNKNOWN;
- goto cleanup2;
- }
+ if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
+ pwd = getpwnam(user);
+ if (pwd == NULL) {
+ retval = PAM_USER_UNKNOWN;
+ goto cleanup2;
+ }
+ }
PAM_LOG("Done getpwnam()");
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501251957.j0PJvkZM051310>