svn commit: r208193 - stable/8/lib/libpam/modules/pam_krb5

Mon May 17 14:27:41 UTC 2010

Author: mm
Date: Mon May 17 14:27:40 2010
New Revision: 208193
URL: http://svn.freebsd.org/changeset/base/208193

Log:
  MFC r207553, r207555, r207651:
  
  Implement the no_user_check option to pam_krb5.
  
  This option is available in the Linux implementation of pam_krb5
  and allows to authorize a user not known to the local system.
  
  Ccache is not used as we don't have a secure uid/gid for the cache file.
  
  Usable for authentication of external kerberos users (e.g Active Directory)
  via PAM from applications like Cyrus saslauthd, PHP or perl.
  
  PR:		bin/146186
  Approved by:	deplhij (mentor)

Modified:
  stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8
  stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c
Directory Properties:
  stable/8/lib/libpam/   (props changed)

Modified: stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8
==============================================================================

--- stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May 17 14:20:26 2010	(r208192)
+++ stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May 17 14:27:40 2010	(r208193)
@@ -1,7 +1,7 @@
 .\"
 .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $
 .\" $FreeBSD$
-.Dd January 15, 1999
+.Dd May 3, 2010
 .Dt PAM_KRB5 8
 .Os
 .Sh NAME
@@ -108,6 +108,10 @@ and
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option because there is no secure local uid/gid for the cache file.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component

Modified: stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c
==============================================================================
--- stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May 17 14:20:26 2010	(r208192)
+++ stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May 17 14:27:40 2010	(r208193)
@@ -89,6 +89,7 @@ static void	compat_free_data_contents(kr
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
+#define PAM_OPT_NO_USER_CHECK	"no_user_check"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
 
 /*
@@ -194,34 +195,39 @@ pam_sm_authenticate(pam_handle_t *pamh, 
 
 	PAM_LOG("Got password");
 
-	/* Verify the local user exists (AFTER getting the password) */
-	if (strchr(user, '@')) {
-		/* get a local account name for this principal */
-		krbret = krb5_aname_to_localname(pam_context, princ,
-		    sizeof(luser), luser);
-		if (krbret != 0) {
-			PAM_VERBOSE_ERROR("Kerberos 5 error");
-			PAM_LOG("Error krb5_aname_to_localname(): %s",
-			    krb5_get_err_text(pam_context, krbret));
-			retval = PAM_USER_UNKNOWN;
-			goto cleanup2;
+	if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
+		PAM_LOG("Skipping local user check");
+	else {
+
+		/* Verify the local user exists (AFTER getting the password) */
+		if (strchr(user, '@')) {
+			/* get a local account name for this principal */
+			krbret = krb5_aname_to_localname(pam_context, princ,
+			    sizeof(luser), luser);
+			if (krbret != 0) {
+				PAM_VERBOSE_ERROR("Kerberos 5 error");
+				PAM_LOG("Error krb5_aname_to_localname(): %s",
+				    krb5_get_err_text(pam_context, krbret));
+				retval = PAM_USER_UNKNOWN;
+				goto cleanup2;
+			}
+
+			retval = pam_set_item(pamh, PAM_USER, luser);
+			if (retval != PAM_SUCCESS)
+				goto cleanup2;
+
+			PAM_LOG("PAM_USER Redone");
 		}
 
-		retval = pam_set_item(pamh, PAM_USER, luser);
-		if (retval != PAM_SUCCESS)
+		pwd = getpwnam(user);
+		if (pwd == NULL) {
+			retval = PAM_USER_UNKNOWN;
 			goto cleanup2;
+		}
 
-		PAM_LOG("PAM_USER Redone");
-	}
-
-	pwd = getpwnam(user);
-	if (pwd == NULL) {
-		retval = PAM_USER_UNKNOWN;
-		goto cleanup2;
+		PAM_LOG("Done getpwnam()");
 	}
 
-	PAM_LOG("Done getpwnam()");
-
 	/* Get a TGT */
 	memset(&creds, 0, sizeof(krb5_creds));
 	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
@@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 		return (PAM_SERVICE_ERR);
 
 	/* If a persistent cache isn't desired, stop now. */
-	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+		openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
 		return (PAM_SUCCESS);
 
 	PAM_LOG("Establishing credentials");
