ports/186545: [PATCH] security/sssd: add ignore_unknown_user option to pam_sss
Lukas Slebodnik
lukas.slebodnik at intrak.sk
Sat Mar 22 14:50:01 UTC 2014
The following reply was made to PR ports/186545; it has been noted by GNATS.
From: Lukas Slebodnik <lukas.slebodnik at intrak.sk>
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: ports/186545: [PATCH] security/sssd: add ignore_unknown_user
option to pam_sss
Date: Sat, 22 Mar 2014 15:46:02 +0100
--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Sat, Feb 08, 2014 at 12:39:08PM +0100, Lukas Slebodnik wrote:
> You are right. It is not possible to obtain the same behaviour like on linux.
> Openpam does not recognise following syntax.
>
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>
> This is the same problem like another PR
> http://www.freebsd.org/cgi/query-pr.cgi?pr=184464.
>
> I communicated with reporter privately and I have a prepared patch. It will be
> part of work on including openpam into sssd, because sssd is heavily patched
> on FreeBSD.
>
> BTW your patch solves the main issue, but there are another corner cases you did
> not identified.
>
> Thank you very much for report. I will wait until accepting solution by
> upstream.
Patch was accepted in upstream with small changes a week ago.
Attached is patch for ports.
LS
--W/nzBZO5zC0uMSeA
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="0001-PAM-add-ignore_unknown_user-option.patch"
From 163991b8a12d2e96b98258eefcfde12a7b581a19 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn at redhat.com>
Date: Sat, 22 Mar 2014 15:19:45 +0100
Subject: [PATCH] PAM: add ignore_unknown_user option
---
files/patch-src__man__pam_sss.8.xml | 43 +++++++++++++++++++++++++++
files/patch-src__sss_client__pam_sss.c | 53 +++++++++++++++++++++++++++++-----
2 files changed, 89 insertions(+), 7 deletions(-)
create mode 100644 files/patch-src__man__pam_sss.8.xml
diff --git a/files/patch-src__man__pam_sss.8.xml b/files/patch-src__man__pam_sss.8.xml
new file mode 100644
index 0000000000000000000000000000000000000000..9e59aa0200754b3b1d40a6f920f5e0a1fd59425f
--- /dev/null
+++ b/files/patch-src__man__pam_sss.8.xml
@@ -0,0 +1,43 @@
+From 1a7794d0e3c9fa47f7b0256518186ce214e93504 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn at redhat.com>
+Date: Sat, 22 Mar 2014 15:09:34 +0100
+Subject: [PATCH 1/2] patch-src__man__pam_sss.8.xml
+
+---
+ src/man/pam_sss.8.xml | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git src/man/pam_sss.8.xml src/man/pam_sss.8.xml
+index 72b497ab34a520d21964824080c7f276b26706f4..5b4e456e2b0b7469a233d7bd98d296bec2d8e739 100644
+--- src/man/pam_sss.8.xml
++++ src/man/pam_sss.8.xml
+@@ -37,6 +37,9 @@
+ <arg choice='opt'>
+ <replaceable>retry=N</replaceable>
+ </arg>
++ <arg choice='opt'>
++ <replaceable>ignore_unknown_user</replaceable>
++ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+@@ -103,6 +106,16 @@
+ <option>PasswordAuthentication</option>.</para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>ignore_unknown_user</option>
++ </term>
++ <listitem>
++ <para>If this option is specified and the user does not
++ exist, the PAM module will return PAM_IGNORE. This causes
++ the PAM framework to ignore this module.</para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+--
+1.8.5.3
+
diff --git a/files/patch-src__sss_client__pam_sss.c b/files/patch-src__sss_client__pam_sss.c
index 45370623ca745c5bc0c48438083c8c32851e6da9..a1bf2821429d47ae775e54147790f51e5dc2a4c7 100644
--- a/files/patch-src__sss_client__pam_sss.c
+++ b/files/patch-src__sss_client__pam_sss.c
@@ -1,17 +1,25 @@
-From 86816db5982df0c1b0c5f5722e23111c62ff362e Mon Sep 17 00:00:00 2001
+From 68fcd5f830b6451de5fd9d697fa6602dc3ca9972 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lukas.slebodnik at intrak.sk>
Date: Sat, 27 Jul 2013 15:02:31 +0200
-Subject: [PATCH 31/34] patch-src__sss_client__pam_sss.c
+Subject: [PATCH 2/2] patch-src__sss_client__pam_sss.c
---
- src/sss_client/pam_sss.c | 2 ++
- 1 file changed, 2 insertions(+)
+ src/sss_client/pam_sss.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
diff --git src/sss_client/pam_sss.c src/sss_client/pam_sss.c
-index 3734c8f..7110d38 100644
+index 5fd276ccba15da1f689b1939a02288dda7a09d89..4cb976cf28eba5c14168a91eb23fe4101d2268f3 100644
--- src/sss_client/pam_sss.c
+++ src/sss_client/pam_sss.c
-@@ -125,10 +125,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
+@@ -52,6 +52,7 @@
+ #define FLAGS_USE_FIRST_PASS (1 << 0)
+ #define FLAGS_FORWARD_PASS (1 << 1)
+ #define FLAGS_USE_AUTHTOK (1 << 2)
++#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+
+ #define PWEXP_FLAG "pam_sss:password_expired_flag"
+ #define FD_DESTRUCTOR "pam_sss:fd_destructor"
+@@ -125,10 +126,12 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
static void close_fd(pam_handle_t *pamh, void *ptr, int err)
{
@@ -24,6 +32,37 @@ index 3734c8f..7110d38 100644
D(("Closing the fd"));
sss_pam_close_fd();
+@@ -1292,6 +1295,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
+ }
+ } else if (strcmp(*argv, "quiet") == 0) {
+ *quiet_mode = true;
++ } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
++ *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+ } else {
+ logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
+ }
+@@ -1429,6 +1434,9 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
+ ret = get_pam_items(pamh, &pi);
+ if (ret != PAM_SUCCESS) {
+ D(("get items returned error: %s", pam_strerror(pamh,ret)));
++ if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
++ ret = PAM_IGNORE;
++ }
+ return ret;
+ }
+
+@@ -1467,6 +1475,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
+
+ pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
+
++ if (flags & FLAGS_IGNORE_UNKNOWN_USER
++ && pam_status == PAM_USER_UNKNOWN) {
++ pam_status = PAM_IGNORE;
++ }
++
+ switch (task) {
+ case SSS_PAM_AUTHENTICATE:
+ /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during
--
-1.8.0
+1.8.5.3
--
1.8.5.3
--W/nzBZO5zC0uMSeA--
More information about the freebsd-ports-bugs
mailing list