From mm@mail2.vx.sk  Fri Apr 30 13:03:15 2010
Return-Path: <mm@mail2.vx.sk>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id AA6AB106566C
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 30 Apr 2010 13:03:15 +0000 (UTC)
	(envelope-from mm@mail2.vx.sk)
Received: from mail2.vx.sk (neo.vx.sk [188.40.111.84])
	by mx1.freebsd.org (Postfix) with ESMTP id 3ADEE8FC08
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 30 Apr 2010 13:03:14 +0000 (UTC)
Received: from neo.vx.sk (localhost [127.0.0.1])
	by mail2.vx.sk (Postfix) with ESMTP id 275853BE45
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 30 Apr 2010 15:03:14 +0200 (CEST)
Received: from mail2.vx.sk ([127.0.0.1])
	by neo.vx.sk (neo.vx.sk [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id Qg9xEev0dwfC for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 30 Apr 2010 15:03:09 +0200 (CEST)
Received: by mail2.vx.sk (Postfix, from userid 1001)
	id 4DAB13BE0C; Fri, 30 Apr 2010 15:03:09 +0200 (CEST)
Message-Id: <20100430130309.4DAB13BE0C@mail2.vx.sk>
Date: Fri, 30 Apr 2010 15:03:09 +0200 (CEST)
From: Martin Matuska <mm@FreeBSD.org>
Reply-To: Martin Matuska <mm@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] implement no_user_check option for pam_krb5.so
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         146186
>Category:       bin
>Synopsis:       [PATCH] implement no_user_check option for pam_krb5.so
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    mm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 30 13:10:01 UTC 2010
>Closed-Date:    Mon May 17 14:58:13 UTC 2010
>Last-Modified:  Mon May 17 14:58:13 UTC 2010
>Originator:     Martin Matuska
>Release:        FreeBSD 8.0-STABLE amd64
>Organization:
>Environment:
System: FreeBSD neo.vx.sk 8.0-STABLE FreeBSD 8.0-STABLE #15 r207431M: Fri Apr 30 12:33:12 CEST 2010 root@neo.vx.sk:/usr/obj/stable/sys/NEO amd64
>Description:
Implement the no_user_check option to pam_krb5
- this option allows to authorize a user not known to the local system (like in port security/pam_krb5)
- ccache is not used as we do not have a local uid/gid for the files
- usable for authentication of external kerberos users via PAM, e.g. from PHP or perl

>How-To-Repeat:
>Fix:
Index: head/lib/libpam/modules/pam_krb5/pam_krb5.c
===================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.c	(revision 207433)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.c	(working copy)
@@ -89,6 +89,7 @@
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
+#define PAM_OPT_NO_USER_CHECK	"no_user_check"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
 
 /*
@@ -194,34 +195,37 @@
 
 	PAM_LOG("Got password");
 
-	/* Verify the local user exists (AFTER getting the password) */
-	if (strchr(user, '@')) {
-		/* get a local account name for this principal */
-		krbret = krb5_aname_to_localname(pam_context, princ,
-		    sizeof(luser), luser);
-		if (krbret != 0) {
-			PAM_VERBOSE_ERROR("Kerberos 5 error");
-			PAM_LOG("Error krb5_aname_to_localname(): %s",
-			    krb5_get_err_text(pam_context, krbret));
-			retval = PAM_USER_UNKNOWN;
+	if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
+		/* Verify the local user exists (AFTER getting the password) */
+		if (strchr(user, '@')) {
+			/* get a local account name for this principal */
+			krbret = krb5_aname_to_localname(pam_context, princ,
+			    sizeof(luser), luser);
+			if (krbret != 0) {
+				PAM_VERBOSE_ERROR("Kerberos 5 error");
+				PAM_LOG("Error krb5_aname_to_localname(): %s",
+				    krb5_get_err_text(pam_context, krbret));
+				retval = PAM_USER_UNKNOWN;
+				goto cleanup2;
+			}
+
+			retval = pam_set_item(pamh, PAM_USER, luser);
+			if (retval != PAM_SUCCESS)
 			goto cleanup2;
+
+			PAM_LOG("PAM_USER Redone");
 		}
 
-		retval = pam_set_item(pamh, PAM_USER, luser);
-		if (retval != PAM_SUCCESS)
+		pwd = getpwnam(user);
+		if (pwd == NULL) {
+			retval = PAM_USER_UNKNOWN;
 			goto cleanup2;
+		}
 
-		PAM_LOG("PAM_USER Redone");
-	}
+		PAM_LOG("Done getpwnam()");
+	} else
+		PAM_LOG("Skipping local user check");
 
-	pwd = getpwnam(user);
-	if (pwd == NULL) {
-		retval = PAM_USER_UNKNOWN;
-		goto cleanup2;
-	}
-
-	PAM_LOG("Done getpwnam()");
-
 	/* Get a TGT */
 	memset(&creds, 0, sizeof(krb5_creds));
 	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
@@ -366,7 +370,8 @@
 		return (PAM_SERVICE_ERR);
 
 	/* If a persistent cache isn't desired, stop now. */
-	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
+	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
+		openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
 		return (PAM_SUCCESS);
 
 	PAM_LOG("Establishing credentials");
Index: head/lib/libpam/modules/pam_krb5/pam_krb5.8
===================================================================
--- head/lib/libpam/modules/pam_krb5/pam_krb5.8	(revision 207433)
+++ head/lib/libpam/modules/pam_krb5/pam_krb5.8	(working copy)
@@ -108,6 +108,10 @@
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
+.It Cm no_user_check
+Do not verify if a user exists on the local system. This option implies the
+.Cm no_ccache
+option.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component
>Release-Note:
>Audit-Trail:

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/146186: commit references a PR
Date: Mon,  3 May 2010 07:32:43 +0000 (UTC)

 Author: mm
 Date: Mon May  3 07:32:24 2010
 New Revision: 207553
 URL: http://svn.freebsd.org/changeset/base/207553
 
 Log:
   Implement the no_user_check option to pam_krb5.
   
   This option is available in the Linux implementation of pam_krb5
   and allows to authorize a user not known to the local system.
   
   Ccache is not used as we don't have a secure uid/gid for the cache file.
   
   Usable for authentication of external kerberos users (e.g Active Directory)
   via PAM from applications like Cyrus saslauthd, PHP or perl.
   
   PR:		bin/146186
   Submitted by:	myself
   Approved by:	deplhij (mentor)
   MFC after:	2 weeks
 
 Modified:
   head/lib/libpam/modules/pam_krb5/pam_krb5.8
   head/lib/libpam/modules/pam_krb5/pam_krb5.c
 
 Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.8
 ==============================================================================
 --- head/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May  3 07:08:16 2010	(r207552)
 +++ head/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May  3 07:32:24 2010	(r207553)
 @@ -108,6 +108,10 @@ and
  .Ql %p ,
  to designate the current process ID; can be used in
  .Ar name .
 +.It Cm no_user_check
 +Do not verify if a user exists on the local system. This option implies the
 +.Cm no_ccache
 +option because there is no secure local uid/gid for the cache file.
  .El
  .Ss Kerberos 5 Account Management Module
  The Kerberos 5 account management component
 
 Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c
 ==============================================================================
 --- head/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May  3 07:08:16 2010	(r207552)
 +++ head/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May  3 07:32:24 2010	(r207553)
 @@ -89,6 +89,7 @@ static void	compat_free_data_contents(kr
  #define PAM_OPT_DEBUG		"debug"
  #define PAM_OPT_FORWARDABLE	"forwardable"
  #define PAM_OPT_NO_CCACHE	"no_ccache"
 +#define PAM_OPT_NO_USER_CHECK	"no_user_check"
  #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
  
  /*
 @@ -194,6 +195,10 @@ pam_sm_authenticate(pam_handle_t *pamh, 
  
  	PAM_LOG("Got password");
  
 +	if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
 +		PAM_LOG("Skipping local user check");
 +	else {
 +
  	/* Verify the local user exists (AFTER getting the password) */
  	if (strchr(user, '@')) {
  		/* get a local account name for this principal */
 @@ -221,6 +226,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
  	}
  
  	PAM_LOG("Done getpwnam()");
 +	}
  
  	/* Get a TGT */
  	memset(&creds, 0, sizeof(krb5_creds));
 @@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
  		return (PAM_SERVICE_ERR);
  
  	/* If a persistent cache isn't desired, stop now. */
 -	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
 +	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
 +		openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
  		return (PAM_SUCCESS);
  
  	PAM_LOG("Establishing credentials");
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/146186: commit references a PR
Date: Mon,  3 May 2010 07:40:00 +0000 (UTC)

 Author: mm
 Date: Mon May  3 07:39:51 2010
 New Revision: 207555
 URL: http://svn.freebsd.org/changeset/base/207555
 
 Log:
   Code indent according to style(9).
   
   PR:		bin/146186
   Submitted by:	myself
   Approved by:	delphij (mentor)
   MFC after:	2 weeks
 
 Modified:
   head/lib/libpam/modules/pam_krb5/pam_krb5.c
 
 Modified: head/lib/libpam/modules/pam_krb5/pam_krb5.c
 ==============================================================================
 --- head/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May  3 07:32:50 2010	(r207554)
 +++ head/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May  3 07:39:51 2010	(r207555)
 @@ -199,33 +199,33 @@ pam_sm_authenticate(pam_handle_t *pamh, 
  		PAM_LOG("Skipping local user check");
  	else {
  
 -	/* Verify the local user exists (AFTER getting the password) */
 -	if (strchr(user, '@')) {
 -		/* get a local account name for this principal */
 -		krbret = krb5_aname_to_localname(pam_context, princ,
 -		    sizeof(luser), luser);
 -		if (krbret != 0) {
 -			PAM_VERBOSE_ERROR("Kerberos 5 error");
 -			PAM_LOG("Error krb5_aname_to_localname(): %s",
 -			    krb5_get_err_text(pam_context, krbret));
 -			retval = PAM_USER_UNKNOWN;
 -			goto cleanup2;
 -		}
 +		/* Verify the local user exists (AFTER getting the password) */
 +		if (strchr(user, '@')) {
 +			/* get a local account name for this principal */
 +			krbret = krb5_aname_to_localname(pam_context, princ,
 +			    sizeof(luser), luser);
 +			if (krbret != 0) {
 +				PAM_VERBOSE_ERROR("Kerberos 5 error");
 +				PAM_LOG("Error krb5_aname_to_localname(): %s",
 +				    krb5_get_err_text(pam_context, krbret));
 +				retval = PAM_USER_UNKNOWN;
 +				goto cleanup2;
 +			}
  
 -		retval = pam_set_item(pamh, PAM_USER, luser);
 -		if (retval != PAM_SUCCESS)
 -			goto cleanup2;
 +			retval = pam_set_item(pamh, PAM_USER, luser);
 +			if (retval != PAM_SUCCESS)
 +				goto cleanup2;
  
 -		PAM_LOG("PAM_USER Redone");
 -	}
 +			PAM_LOG("PAM_USER Redone");
 +		}
  
 -	pwd = getpwnam(user);
 -	if (pwd == NULL) {
 -		retval = PAM_USER_UNKNOWN;
 -		goto cleanup2;
 -	}
 +		pwd = getpwnam(user);
 +		if (pwd == NULL) {
 +			retval = PAM_USER_UNKNOWN;
 +			goto cleanup2;
 +		}
  
 -	PAM_LOG("Done getpwnam()");
 +		PAM_LOG("Done getpwnam()");
  	}
  
  	/* Get a TGT */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: mm 
State-Changed-When: Mon May 3 11:11:21 UTC 2010 
State-Changed-Why:  
Scheduled for MFC. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146186 
Responsible-Changed-From-To: freebsd-bugs->mm 
Responsible-Changed-By: mm 
Responsible-Changed-When: Tue May 4 21:16:26 UTC 2010 
Responsible-Changed-Why:  
My PR now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146186 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/146186: commit references a PR
Date: Mon, 17 May 2010 14:28:00 +0000 (UTC)

 Author: mm
 Date: Mon May 17 14:27:40 2010
 New Revision: 208193
 URL: http://svn.freebsd.org/changeset/base/208193
 
 Log:
   MFC r207553, r207555, r207651:
   
   Implement the no_user_check option to pam_krb5.
   
   This option is available in the Linux implementation of pam_krb5
   and allows to authorize a user not known to the local system.
   
   Ccache is not used as we don't have a secure uid/gid for the cache file.
   
   Usable for authentication of external kerberos users (e.g Active Directory)
   via PAM from applications like Cyrus saslauthd, PHP or perl.
   
   PR:		bin/146186
   Approved by:	deplhij (mentor)
 
 Modified:
   stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8
   stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c
 Directory Properties:
   stable/8/lib/libpam/   (props changed)
 
 Modified: stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8
 ==============================================================================
 --- stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May 17 14:20:26 2010	(r208192)
 +++ stable/8/lib/libpam/modules/pam_krb5/pam_krb5.8	Mon May 17 14:27:40 2010	(r208193)
 @@ -1,7 +1,7 @@
  .\"
  .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $
  .\" $FreeBSD$
 -.Dd January 15, 1999
 +.Dd May 3, 2010
  .Dt PAM_KRB5 8
  .Os
  .Sh NAME
 @@ -108,6 +108,10 @@ and
  .Ql %p ,
  to designate the current process ID; can be used in
  .Ar name .
 +.It Cm no_user_check
 +Do not verify if a user exists on the local system. This option implies the
 +.Cm no_ccache
 +option because there is no secure local uid/gid for the cache file.
  .El
  .Ss Kerberos 5 Account Management Module
  The Kerberos 5 account management component
 
 Modified: stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c
 ==============================================================================
 --- stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May 17 14:20:26 2010	(r208192)
 +++ stable/8/lib/libpam/modules/pam_krb5/pam_krb5.c	Mon May 17 14:27:40 2010	(r208193)
 @@ -89,6 +89,7 @@ static void	compat_free_data_contents(kr
  #define PAM_OPT_DEBUG		"debug"
  #define PAM_OPT_FORWARDABLE	"forwardable"
  #define PAM_OPT_NO_CCACHE	"no_ccache"
 +#define PAM_OPT_NO_USER_CHECK	"no_user_check"
  #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
  
  /*
 @@ -194,34 +195,39 @@ pam_sm_authenticate(pam_handle_t *pamh, 
  
  	PAM_LOG("Got password");
  
 -	/* Verify the local user exists (AFTER getting the password) */
 -	if (strchr(user, '@')) {
 -		/* get a local account name for this principal */
 -		krbret = krb5_aname_to_localname(pam_context, princ,
 -		    sizeof(luser), luser);
 -		if (krbret != 0) {
 -			PAM_VERBOSE_ERROR("Kerberos 5 error");
 -			PAM_LOG("Error krb5_aname_to_localname(): %s",
 -			    krb5_get_err_text(pam_context, krbret));
 -			retval = PAM_USER_UNKNOWN;
 -			goto cleanup2;
 +	if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
 +		PAM_LOG("Skipping local user check");
 +	else {
 +
 +		/* Verify the local user exists (AFTER getting the password) */
 +		if (strchr(user, '@')) {
 +			/* get a local account name for this principal */
 +			krbret = krb5_aname_to_localname(pam_context, princ,
 +			    sizeof(luser), luser);
 +			if (krbret != 0) {
 +				PAM_VERBOSE_ERROR("Kerberos 5 error");
 +				PAM_LOG("Error krb5_aname_to_localname(): %s",
 +				    krb5_get_err_text(pam_context, krbret));
 +				retval = PAM_USER_UNKNOWN;
 +				goto cleanup2;
 +			}
 +
 +			retval = pam_set_item(pamh, PAM_USER, luser);
 +			if (retval != PAM_SUCCESS)
 +				goto cleanup2;
 +
 +			PAM_LOG("PAM_USER Redone");
  		}
  
 -		retval = pam_set_item(pamh, PAM_USER, luser);
 -		if (retval != PAM_SUCCESS)
 +		pwd = getpwnam(user);
 +		if (pwd == NULL) {
 +			retval = PAM_USER_UNKNOWN;
  			goto cleanup2;
 +		}
  
 -		PAM_LOG("PAM_USER Redone");
 -	}
 -
 -	pwd = getpwnam(user);
 -	if (pwd == NULL) {
 -		retval = PAM_USER_UNKNOWN;
 -		goto cleanup2;
 +		PAM_LOG("Done getpwnam()");
  	}
  
 -	PAM_LOG("Done getpwnam()");
 -
  	/* Get a TGT */
  	memset(&creds, 0, sizeof(krb5_creds));
  	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
 @@ -366,7 +372,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
  		return (PAM_SERVICE_ERR);
  
  	/* If a persistent cache isn't desired, stop now. */
 -	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
 +	if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
 +		openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
  		return (PAM_SUCCESS);
  
  	PAM_LOG("Establishing credentials");
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: mm 
State-Changed-When: Mon May 17 14:58:12 UTC 2010 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146186 
>Unformatted:
